talegift
commented
2 years ago Suggest lowering severity to 0 as it doesn't allow anyone to steal any funds. It's the same as (an intentional) lack of rescueToken function to rescue any accidentally sent token to the contract.
ghoul-sol
Handle
pauliax
Vulnerability details
Impact
Contract LendingPair has an empty receive function that allows it to receive Ether. I suppose this was needed to receive ETH when withdrawing from WETH. As there is no way to send out accidentally sent ETH from this contract, I suggest adding an auth check to this receive function to only accept ETH from the WETH contract:
Recommended Mitigation Steps
require(msg.sender == address(WETH), "Not WETH");