Raisebox Faucet
First Flight #50
Beginner FriendlySolidity
100 EXP
View results
Previous Next
Submission Details
Impact: low
Likelihood: high
Invalid

`RaiseBoxFaucet` Protocol Lacks "Allow Admin to Withdraw ETH" Function

minos

RaiseBoxFaucet Protocol Lacks "Allow Admin to Withdraw ETH" Function

Description

  • Under normal circumstances, the protocol administrator should have the authority to withdraw unused ETH, allowing recovery of unnecessary funds when the protocol becomes inactive in later stages.

  • However, this protocol clearly does not include a withdrawal function.

  • This means that once the administrator (or donors) transfers ETH into the contract, even if the protocol becomes inactive and is ready to be discontinued later, the transferred ETH cannot be recovered.

Risk

Likelihood:

  • Certain to occur.

Impact:

  • All unused ETH in the entire protocol will be permanently locked in the contract.

Proof of Concept

  • None

Recommended Mitigation

  • Implement a withdrawal function that only allows the administrator to call it and can specify the recipient address.

  • As shown below:

function withdrawSepEth(address to, uint256 amount) external onlyOwner {
// To emphasize that "the administrator cannot perform malicious withdrawals"
// Some logic can be added (e.g., the administrator can only withdraw after the first claim has occurred and one full year has passed)
// ....
require(to != address(0));
require(amount > 0);
require(amount <= address(this).balance);
(bool success,) = to.call{value: amount}("");
require(success);
}
Updates

Lead Judging Commences

inallhonesty Lead Judge 16 days ago
Submission Judgement Published
Invalidated
Reason: Design choice

Support

FAQs

Can't find an answer? Chat with us on Discord, Twitter or Linkedin.