Weather Witness
First Flight #40
Beginner FriendlyFoundrySolidityNFT
100 EXP
View results
Previous Next
Submission Details
Severity: high
Valid

NFT price (ether) is locked in the smart contract

accessdenied

Root + Impact

The contract includes a payable function to accept Ether but lacks a corresponding function to withdraw it, which leads to the Ether being locked in the contract.

Description

requestMintWeatherNFT is payable where msg.value == `s_currentMintPrice`

The value represents the NFT price and it is locked in the smart contract

function requestMintWeatherNFT(
string memory _pincode,
string memory _isoCode,
bool _registerKeeper,
uint256 _heartbeat,
uint256 _initLinkDeposit
) external payable returns (bytes32 _reqId) {
require(
msg.value == s_currentMintPrice,
WeatherNft__InvalidAmountSent()
);

Risk

Likelihood:

For each NFT minted, the NFT price will be locked in the smart contract

Impact:

Ethers payed for each mint is locked inside the smart contract

Proof of Concept

Recommended Mitigation

Implement a public or external function that allows for the withdrawal of Ether from the contract.

- remove this code
+ add this code
function withdraw(uint256 amount) external onlyOwner{
require(amount > 0, "Nothing to withdraw");
(bool success, ) = msg.sender.call{value: amount}("");
require(success, "Withdraw failed");
}
Updates

Appeal created

bube Lead Judge 3 days ago
Submission Judgement Published
Validated
Assigned finding tags:

Lack of `withdraw` function

The contract collects funds for minting a WeatherNFT, but there is no function that allows the owner to withdraw these funds.

Support

FAQs

Can't find an answer? Chat with us on Discord, Twitter or Linkedin.