search

sherlock-audit / 2023-04-footium-judging

13 stars 7 forks source link

Phantasmagoria - Funds can get stuck in FootiumPrizeDistributor.sol #352

Closed sherlock-admin closed 1 year ago

sherlock-admin commented 1 year ago

Phantasmagoria

medium

Funds can get stuck in FootiumPrizeDistributor.sol

Summary

Vulnerability Detail

FootiumPrizeDistributor contract is lack of withdraw function that can lead to funds being locked. FootiumPrizeDistributor can obtain funds in a couple of ways::

  1. totalFee from FootiumAcademy are transferred to FootiumPrizeDistributor 
    (bool sent, ) = _prizeDistributorAddress.call{value: totalFee}("");
  2. Via makePayment() function in FootiumGeneralPaymentContract where _paymentReceiverAddress the address of the Footium Prize Distributor 
    (bool sent, ) = paymentReceiverAddress.call{value: msg.value}("");
  3. By direct transfer

Funds can get stuck when new merkleroot was set or user doesn't claimed his rewards see the following issue: https://github.com/sherlock-audit/2023-04-footium-Phantasmagoria13/issues/8

Impact

Funds can get stuck in FootiumPrizeDistributor.sol because there is no withdraw function

Code Snippet

https://github.com/sherlock-audit/2023-04-footium/blob/main/footium-eth-shareable/contracts/FootiumPrizeDistributor.sol#L1C1-L176

Tool used

Manual Review

Recommendation

Implement withdraw function in FootiumPrizeDistributor.sol