Beatland Festival
First Flight #44
Beginner FriendlyFoundrySolidityNFT
100 EXP
View results
Previous Next
Submission Details
Impact: high
Likelihood: high
Invalid

Fund Theft Risk via Unrestricted withdraw()

viveksh0062

Root + Impact

Description

The withdraw(address target) function allows the contract owner to withdraw all ETH collected from pass sales to any address passed as parameter.

If access control or checks are weak in implementation (e.g., missing onlyOwner), an attacker can call:

…and instantly drain funds

festivalPass.withdraw(attackerAddress);

Risk

Likelihood:

  • Even if onlyOwner is applied, if the owner is ever transferred to a malicious address (or setOrganizer() affects it), the ETH is lost.

Impact:

  • Complete theft of all collected ETH

  • Irrecoverable financial loss

  • Major trust breach and project credibility damage

Proof of Concept

// Attacker somehow becomes owner (via ownership transfer, bug, etc.)
festivalPass.setOrganizer(attackerAddress); // if organizer can withdraw
festivalPass.withdraw(attackerAddress); // sends all ETH to attacker

Recommended Mitigation

In implementation:

  • ✅ Use onlyOwner or onlyTreasury modifier

  • ✅ Allow withdrawal only to pre-approved addresses (e.g., multisig or treasury)

  • ✅ Add a timelock (or proposal delay) before large withdrawals

  • ✅ Emit clear events (FundsWithdrawn) — ✅ already present

Bonus:

  • Add circuit breaker (pause mechanism) to disable withdrawals during emergencies

- remove this code
+ add this code
Updates

Lead Judging Commences

inallhonesty Lead Judge about 2 months ago
Submission Judgement Published
Invalidated
Reason: Lack of quality

Support

FAQs

Can't find an answer? Chat with us on Discord, Twitter or Linkedin.