Submission Details
Impact:
Likelihood:
Missing onlyOwner modifier for withdraw
Author Revealed upon completion
withdraw() missing onlyOwner
withdraw() function was declared also the author included this function must be called by the owner when the hunt is done.
/// @notice Allow the owner to withdraw unclaimed funds after the hunt is over.
function withdraw() external {
require(claimsCount >= MAX_TREASURES, "HUNT_NOT_OVER");
uint256 balance = address(this).balance;
require(balance > 0, "NO_FUNDS_TO_WITHDRAW");
(bool sent, ) = owner.call{value: balance}("");
require(sent, "ETH_TRANSFER_FAILED");
emit Withdrawn(balance, address(this).balance);
}
Risk
Likelihood:
-
Individuals who are not the owner can call this function
Impact -
If the hunt was finished they can call
withdraw()before when the owner decides to do it
Proof of Concept
make withdraw function accessible only by the owner.
function withdraw() external{
require(claimsCount >= MAX_TREASURES, "HUNT_NOT_OVER");
uint256 balance = address(this).balance;
require(balance > 0, "NO_FUNDS_TO_WITHDRAW");
(bool sent, ) = owner.call{value: balance}("");
require(sent, "ETH_TRANSFER_FAILED");
emit Withdrawn(balance, address(this).balance);
}
Recommended Mitigation
+ add this
function withdraw() external onlyOwner{}
Rewards breakdown
nSLOC
220This contest has a flat reward structure with the following payouts:
100 EXP
20 EXP
2 EXP
Live
The contest is live. Earn rewards by submitting a finding.
Appeals
This is your time to appeal against judgements on your submissions.
Appeals Review
Appeals are being carefully reviewed by our judges.
Rewards Distribution
The contest is complete and the rewards are being distributed.