talegift
commented
2 years ago This is required because we need to accept ETH when we withdraw it from WETH contract.
Will be fixed as suggested in #103
Closed code423n4 closed 2 years ago
talegift
commented
2 years ago This is required because we need to accept ETH when we withdraw it from WETH contract.
Will be fixed as suggested in #103
ghoul-sol
commented
2 years ago per sponsor comment, invalid
Handle
0xRajeev
Vulnerability details
Impact
LendingPair contract has a receive() function which allows ETH to be accidentally sent to this contract (via send/transfer or empty calldata) and get stuck/locked. Given that there are ETH-specific payable functions to handle Ether-related transactions, this is not required.
Proof of Concept
https://github.com/code-423n4/2021-09-wildcredit/blob/c48235289a25b2134bb16530185483e8c85507f8/contracts/LendingPair.sol#L67
https://github.com/code-423n4/2021-09-wildcredit/blob/c48235289a25b2134bb16530185483e8c85507f8/contracts/LendingPair.sol#L146
https://github.com/code-423n4/2021-09-wildcredit/blob/c48235289a25b2134bb16530185483e8c85507f8/contracts/LendingPair.sol#L221
Tools Used
Manual Analysis
Recommended Mitigation Steps
Safer to not define receive() function or instead have it revert to prevent ETH from having accidentally sent and locked in the contract.