Missing onlyOwner access control (and nonReentrant) on withdraw() function
Root + Impact
Description
-
The withdraw() function is intended to let the owner retrieve any leftover funds after the hunt has officially ended (i.e. once claimsCount >= MAX_TREASURES).
-
The function is missing the onlyOwner modifier (which already exists in the contract) and the nonReentrant modifier. Any address on the network can call withdraw() as soon as the hunt ends, draining the entire contract balance to the owner address.
Risk
Likelihood:
-
The hunt will end once MAX_TREASURES (10) are claimed.
-
Any user (or bot) can monitor the contract state and call withdraw() the moment claimsCount >= MAX_TREASURES.
Impact:
-
Funds are still sent to the legitimate owner (no direct theft).
-
Griefing / nuisance attack possible (anyone can force the withdrawal).
-
Inconsistent with the rest of the admin functions (pause, fund, unpause, etc.) that properly restrict the caller.
-
Theoretical reentrancy vector because ETH is sent via low-level call without nonReentrant.
Proof of Concept
Any address can call the withdraw() function once claimsCount >= MAX_TREASURES, even though it should be restricted to the owner only. This demonstrates the lack of access control. The transaction succeeds for any caller, allowing anyone to trigger the withdrawal as soon as the hunt ends.
Recommended Mitigation
The onlyOwner modifier (already defined in the contract) ensures only the legitimate owner can call withdraw(). The nonReentrant modifier (already implemented and used in claim()) prevents any potential reentrancy attacks during the Ether transfer.
Rewards breakdown
Live
The contest is live. Earn rewards by submitting a finding.
Appeals
This is your time to appeal against judgements on your submissions.
Appeals Review
Appeals are being carefully reviewed by our judges.
Rewards Distribution
The contest is complete and the rewards are being distributed.