Weather Witness
First Flight #40
Beginner FriendlyFoundrySolidityNFT
100 EXP
View results
Previous Next
Submission Details
Severity: high
Valid

No Native Token Withdrawal

howiecht

No withdrawal function to get the native token out which leads to fund locked

Description

  • The requestMintWeatherNFT() function is marked payable, allowing users to send native tokens (e.g., ETH, AVAX) as payment for minting the NFT. However, the smart contract does not implement any function to withdraw these accumulated native tokens from the contract's balance.


Risk

Likelihood: High

  • Every successful call to requestMintWeatherNFT deposits native tokens into the contract's address.

  • There is no function currently available in the contract's code that can send these native tokens out.

Impact: High

  • Any native tokens sent to the contract as minting fees will become permanently locked within the contract's balance and cannot be accessed or retrieved by the contract owner or any other party.

Recommended Mitigation

Implement a function, callable only by the contract owner, that allows transferring the contract's native token balance to a specified recipient address.

+ function withdrawNativeToken(address payable _to) external onlyOwner {
+ uint256 balance = address(this).balance;
+ require(balance > 0, "Must greater than zero"); // Ensure there's something to withdraw
+
+ // Use call to send native token to handle potential recipient fallback functions and forward gas
+ (bool success, ) = _to.call{value: balance}("");
+ require(success, "Failed transfer"); // Ensure the transfer was successful
+ }
Updates

Appeal created

bube Lead Judge 4 months ago
Submission Judgement Published
Validated
Assigned finding tags:

Lack of `withdraw` function

The contract collects funds for minting a WeatherNFT, but there is no function that allows the owner to withdraw these funds.

Support

FAQs

Can't find an answer? Chat with us on Discord, Twitter or Linkedin.