Submission Details
Impact:
Likelihood:
Unrestricted ETH Withdrawal in withdraw
Root + Impact
Description
The
withdrawfunction allows the contract owner to withdraw all ETH from the contract to any arbitrary address. While it is protected byonlyOwner, there are no sanity checks or event logs, and no access control for emergency situations or multi-sig requirements.
function withdraw(address target) external onlyOwner {
payable(target).transfer(address(this).balance);
}
// If the owner key is compromised, lost, or misused, the entire contract balance could be drained with zero audit trail.
Risk
Likelihood
One transaction can transfer entire balance.
No destination check, no timelock, no logging.
Impact
Full ETH loss for users.
No visibility or recoverability.
Proof of Concept
// If attacker takes over owner role:
festivalPass.withdraw(attackerAddress); // all funds drained
Recommended Mitigation
- function withdraw(address target) external onlyOwner {
- payable(target).transfer(address(this).balance);
- }
+ function withdraw(address target) external onlyOwner {
+ uint256 amount = address(this).balance;
+ require(amount > 0, "No ETH to withdraw");
+ payable(target).transfer(amount);
+ emit FundsWithdrawn(target, amount);
+ }
# Also consider adding:
pendingWithdrawAddress with delayed activation
Role-based access (using AccessContro
Rewards breakdown
nSLOC
234This contest has a flat reward structure with the following payouts:
100 EXP
20 EXP
2 EXP
Live
The contest is live. Earn rewards by submitting a finding.
Appeals
This is your time to appeal against judgements on your submissions.
Appeals Review
Appeals are being carefully reviewed by our judges.