search

code-423n4 / 2021-11-nested-findings

1 stars 1 forks source link

Restrict funds receivable to be only from wrapped native token #188

Closed code423n4 closed 2 years ago

code423n4 commented 2 years ago

Handle

defsec

Vulnerability details

Impact

Native fund transfers into the NestedFactory contract are only expected from the wrapped token contract. Hence, it would be good to restrict incoming fund transfers to prevent accidental native fund transfers from other sources.

Proof of Concept

  1. Navigate to the following contract code.
https://github.com/code-423n4/2021-11-nested/blob/5d113967cdf7c9ee29802e1ecb176c656386fe9b/contracts/NestedFactory.sol#L66

Tools Used

None

Recommended Mitigation Steps

receive() external payable {
  require(msg.sender == address(WETH), 'only wrapped eth');
}
adrien-supizet commented 2 years ago

This is untrue, some functions of the contract are payable and are expecting native token transfers. e.g. create or addtokens

alcueca commented 2 years ago

Dispute accepted.