Denial

Prevent the owner from withdrawing funds by causing the withdrawal function to run out of gas.

Vulnerable Code

Analyze the Solidity code below to find the vulnerability.

// SPDX-License-Identifier: MIT
pragma solidity ^0.8.0;

import "@openzeppelin/contracts/access/Ownable.sol";

contract Denial is Ownable {

    address public partner; // withdrawal partner - could be hostile!
    uint public constant timeLock = 1 days;
    uint public withdrawTime;

    mapping (address => uint) public withdrawRequests;

    // Sets the withdrawal partner
    function setWithdrawPartner(address _partner) public {
        partner = _partner;
    }

    // Request withdrawal
    function requestWithdraw() public {
        withdrawRequests[msg.sender] = block.timestamp;
    }

    // Withdraw funds - vulnerable to gas exhaustion
    function withdraw() public {
        require(withdrawRequests[owner] > 0, "Owner has not requested");
        require(block.timestamp >= withdrawRequests[owner] + timeLock, "Lock time not passed");

        uint amount = address(this).balance;

        // External call to potentially hostile partner contract
        // If partner's receive() or fallback() consumes too much gas or reverts,
        // the withdrawal fails.
        (bool sent, ) = partner.call{value: amount}(""); // Low level call
        require(sent, "Withdrawal failed");

        // Reset request time - may not be reached if call fails
        withdrawRequests[owner] = 0;
    }

    // Allow owner to deposit funds
    function deposit() public payable onlyOwner {}

    // Fallback function to accept ether
    receive() external payable {}
}

Submit Explanation

Explain the vulnerability and how to exploit it.

Your Explanation

Hints (6)

Just a little peak

Hint 1

Hint 2

Hint 3

Hint 4

Hint 5

Hint 6

Explanation

Discomfort = Learning

Denial

Unveil Explanation