Beatland Festival

First Flight #44

Beginner FriendlyFoundrySolidityNFT

100 EXP

View results

Previous Next

Submission Details

Impact: high

Likelihood: high

Invalid

Withdraw function access control contradicts documented business model

anchabadze

Description:

The withdraw() function contains a comment stating "Organizer withdraws ETH" but implements the onlyOwner modifier, creating a mismatch between documented functionality and actual implementation. This inconsistency suggests either the access control is incorrectly implemented or the documentation is inaccurate. The discrepancy creates confusion about the intended business model where organizers are expected to manage festival operations including fund withdrawal, but the technical implementation restricts this capability to the contract owner only.

Attack path:

Pass sales generate ETH revenue that accumulates in the contract
Organizer attempts to withdraw collected funds using withdraw() function
Transaction reverts due to onlyOwner modifier, despite organizer believing they have legitimate access
Organizer cannot access festival revenue needed for operational expenses or profit distribution

Impact:

Organizers cannot access funds needed for festival operations, vendor payments, or profit distribution

Unclear delineation between owner and organizer roles undermines operational clarity

Recommended Mitigation:

Choose one of the following approaches to resolve the inconsistency:

Update documentation to match implementation:

// Owner withdraws collected ETH to specified target address

function withdraw(address target) external onlyOwner {

Change modifier to match documentation:

// Organizer withdraws ETH

function withdraw(address target) external onlyOrganizer {

Implement dual authorization for enhanced security while maintaining organizer control:

function withdraw(address target) external {

require(msg.sender == organizer || msg.sender == owner(), "Unauthorized");

payable(target).transfer(address(this).balance);

}

Updates

Lead Judging Commences

inallhonesty Lead Judge about 1 month ago

Submission Judgement Published

Invalidated

Reason: Non-acceptable severity

Rewards breakdown

nSLOC

234

This contest has a flat reward structure with the following payouts:

High

100 EXP

Medium

20 EXP

Low

2 EXP

Live

The contest is live. Earn rewards by submitting a finding.

Judging

Submissions are being carefully reviewed by our judges.

View all submissions

Appeals

This is your time to appeal against judgements on your submissions.

Appeals Review

Appeals are being carefully reviewed by our judges.

Rewards Distribution

The contest is complete and the rewards are being distributed.

View results

Support

FAQs

Can't find an answer? Chat with us on Discord, Twitter or Linkedin.