Raisebox Faucet
First Flight #50
Beginner FriendlySolidity
100 EXP
View all submissions
Previous Next
Submission Details
Impact: low
Likelihood: high

`RaiseBoxFaucet` Protocol Lacks "Allow Admin to Withdraw ETH" Function

Author Revealed upon completion

RaiseBoxFaucet Protocol Lacks "Allow Admin to Withdraw ETH" Function

Description

  • Under normal circumstances, the protocol administrator should have the authority to withdraw unused ETH, allowing recovery of unnecessary funds when the protocol becomes inactive in later stages.

  • However, this protocol clearly does not include a withdrawal function.

  • This means that once the administrator (or donors) transfers ETH into the contract, even if the protocol becomes inactive and is ready to be discontinued later, the transferred ETH cannot be recovered.

Risk

Likelihood:

  • Certain to occur.

Impact:

  • All unused ETH in the entire protocol will be permanently locked in the contract.

Proof of Concept

  • None

Recommended Mitigation

  • Implement a withdrawal function that only allows the administrator to call it and can specify the recipient address.

  • As shown below:

function withdrawSepEth(address to, uint256 amount) external onlyOwner {
// To emphasize that "the administrator cannot perform malicious withdrawals"
// Some logic can be added (e.g., the administrator can only withdraw after the first claim has occurred and one full year has passed)
// ....
require(to != address(0));
require(amount > 0);
require(amount <= address(this).balance);
(bool success,) = to.call{value: amount}("");
require(success);
}

Support

FAQs

Can't find an answer? Chat with us on Discord, Twitter or Linkedin.