The emergencyWithdraw function allows the contract owner to withdraw the entire ETH balance to an arbitrary address.
Because the owner also controls the pause functionality and there is no timelock, this represents a significant centralization risk where a compromised or malicious owner can take all participant rewards.
Likelihood:
Reason 1 It requires the owner to act maliciously or for their private key to be compromised.
Reason 2 In a competitive audit context, centralization risks are documented even if the owner is currently trusted.
Impact:
Impact 1 If exploited, 100 percent of the contract value is lost.
Impact 2 Participants who have already spent resources finding treasures lose their rewards permanently.
The contest is live. Earn rewards by submitting a finding.
This is your time to appeal against judgements on your submissions.
Appeals are being carefully reviewed by our judges.
The contest is complete and the rewards are being distributed.