Weather Witness
First Flight #40
Beginner FriendlyFoundrySolidityNFT
100 EXP
View results
Previous Next
Submission Details
Severity: high
Valid

Unrecoverable ETH Due to Missing Withdrawal Mechanism

phylax

Root + Impact

Description

The WeatherNft accepts ETH from users when they call requestMintWeatherNFT function to mint the weather NFT, Under normal operations, the protocol owner should be able to withdraw these funds as part of the revenue collection. However, the protocol has no withdrawal mechanism for the ETH it receives, making the funds inaccessible to owner.

function requestMintWeatherNFT(...) external payable returns (bytes32 _reqId) {
require(msg.value == s_currentMintPrice, WeatherNft__InvalidAmountSent());
@> s_currentMintPrice += s_stepIncreasePerMint;

Risk

Likelihood:

  • The contract does not have a ETH withdraw function.

  • ETH is always sent to the contract on mint, and there is no path to access these funds.

Impact:

  • Protocol revenue becomes permanently locked. Making the protocol unsustainable.

Proof of Concept

  1. Users call the requestMintWeatherNFT function and pays s_currentMintPrice in ETH.

  2. The WeatherNft contract receives s_currentMinPrice ETH.

  3. No withdraw function for owner to access funds sent to contract.

Recommended Mitigation

Add a withdrawETH function to WeatherNft contract with a onlyOwner modifier:

+ function withdrawETH() public onlyOwner returns(bool) {
+ (bool success, ) = payable(msg.sender).call{value: address(this).balance}("");
+ require(success);
+ return success;
+ }
Updates

Appeal created

bube Lead Judge 5 months ago
Submission Judgement Published
Validated
Assigned finding tags:

Lack of `withdraw` function

The contract collects funds for minting a WeatherNFT, but there is no function that allows the owner to withdraw these funds.

Support

FAQs

Can't find an answer? Chat with us on Discord, Twitter or Linkedin.