HaHa - very sneaky.

***Warning***

To anyone tempted to mess with this contract - i.e. exploit the apparent flaw: you will likely lose your Ether.

Explanation follows.

It looks like there is a pretty tempting vulnerability in the withdrawal() function: when you send the function more than Limit Wei then it will send you the whole balance of the contract - the amount you sent plus the 0.36 Eth already there. Instant profit!

However, there is this innocent-looking, but nonetheless peculiar delegatecall to a logEvent() function in a different contract. To cut a long story short, this does not log an event. It actually sneakily modifies the value of the adr storage variable so that it no longer points to msg.sender . So the contract balance will not be sent back to you by the adr.send(this.balance) call, it will be sent somewhere else, since adr is no longer equal to msg.sender .