SNARKeling Treasure Hunt

First Flight #59

Beginner FriendlyGameFiFoundry

100 EXP

View results

Previous Next

Submission Details

Severity: low

Valid

(LOW)`emergencyWithdraw` forbids `recipient == owner`, so the owner cannot rescue funds to their own cold wallet

snavohburmaa

Location: contracts/src/TreasureHunt.sol:276

Description

The emergency withdraw function explicitly blocks sending back to the owner:

require(recipient != address(0) && recipient != address(this) && recipient != owner, "INVALID_RECIPIENT");

An emergency typically means the owner wants to move funds to a safer wallet they directly control. Blocking the owner as recipient forces them to use a third address, which is precisely the wrong UX in a real emergency.

Risk (L)

Likelihood: Low. only triggered during an emergency withdraw attempt.

Impact: Low. Friction in emergency recovery; owner may have to deploy a temporary receiving contract or use another EOA, costing time during an active incident.

Proof of Concept

function test_OwnerCannotEmergencyWithdrawToSelf() public {

vm.prank(owner);

hunt.pause();

vm.prank(owner);

vm.expectRevert(bytes("INVALID_RECIPIENT"));

hunt.emergencyWithdraw(payable(owner), 1 ether);

}

Run:

forge test --match-test test_OwnerCannotEmergencyWithdrawToSelf -vv

The test passes, the owner is blocked from rescuing funds to their own address.

Recommended Mitigation

Remove the recipient != owner restriction:

- require(recipient != address(0) && recipient != address(this) && recipient != owner, "INVALID_RECIPIENT");

+ require(recipient != address(0) && recipient != address(this), "INVALID_RECIPIENT");

Updates

Lead Judging Commences

s3mvl4d Lead Judge 18 days ago

Submission Judgement Published

Validated

Assigned finding tags:

owner cannot emergency-withdraw to self

The issue is that the emergency withdrawal mechanism unnecessarily forbids the owner from selecting their own address as the recipient, even though `emergencyWithdraw()` is already restricted to the owner, only callable while the contract is paused, and is explicitly described as an emergency recovery path. That makes recovery more cumbersome by forcing an owner to route funds through a secondary wallet during the very scenario where operational simplicity is most important.

Rewards breakdown

nSLOC

220

This contest has a flat reward structure with the following payouts:

High

100 EXP

Medium

20 EXP

Low

2 EXP

Live

The contest is live. Earn rewards by submitting a finding.

Judging

Submissions are being carefully reviewed by our judges.

View all submissions

Appeals

This is your time to appeal against judgements on your submissions.

Appeals Review

Appeals are being carefully reviewed by our judges.

Rewards Distribution

The contest is complete and the rewards are being distributed.

View results

Support

FAQs

Can't find an answer? Chat with us on Discord, Twitter or Linkedin.

Give us feedback!