Beatland Festival

First Flight #44

Beginner FriendlyFoundrySolidityNFT

100 EXP

View results

Previous Next

Submission Details

Impact: high

Likelihood: high

Invalid

Unrestricted withdraw Function — Missing Access Control

sageceo

Absence of an access control modifier or internal permission check, An Attacker can mint an arbitrary number of fake memorabilia collections.

Description

The withdraw(address target) function is marked external but lacks any form of access restriction. Anyone can invoke this function and potentially withdraw funds to an arbitrary address, which represents a critical security flaw.

// function withdraw(address target) external; // @audit missing access control

Risk

Likelihood:

Reason 1 // No preconditions or authentication checks are required.
Reason 2 // Fully automatable and scalable by bots or malicious scripts.

Impact:

Impact 1 // Any attacker can call this function and redirect all contract funds to an arbitrary wallet.
Impact 2 // Breaks trust in the contract and any application depending on it.

Proof of Concept

function testWithdrawCanBeCalledByAnyone() public {

// Simulate attacker wallet

address attacker = address(0xBEEF);

// Fund the contract with 10 ether to make the test realistic

vm.deal(address(contractInstance), 10 ether);

// Check balance before

uint256 before = attacker.balance;

// Attacker calls withdraw to send funds to self

vm.prank(attacker);

contractInstance.withdraw(attacker);

// Attacker should now have received funds

uint256 after = attacker.balance;

assertGt(after, before); // Balance increased => attack succeeded

}

Recommended Mitigation

Apply a strict access control modifier, or use AccessControl from openZeppline.
Never expose fund-handling functions (e.g., withdraw, transfer, mint) without strict access control.

- function withdraw(address target) external;

+ function withdraw(address target) external onlyOwner;

Updates

Lead Judging Commences

inallhonesty Lead Judge about 1 month ago

Submission Judgement Published

Invalidated

Reason: Incorrect statement

Rewards breakdown

nSLOC

234

This contest has a flat reward structure with the following payouts:

High

100 EXP

Medium

20 EXP

Low

2 EXP

Live

The contest is live. Earn rewards by submitting a finding.

Judging

Submissions are being carefully reviewed by our judges.

View all submissions

Appeals

This is your time to appeal against judgements on your submissions.

Appeals Review

Appeals are being carefully reviewed by our judges.

Rewards Distribution

The contest is complete and the rewards are being distributed.

View results

Support

FAQs

Can't find an answer? Chat with us on Discord, Twitter or Linkedin.