Closed code423n4 closed 2 years ago
defsec
Native fund transfers into the NestedFactory contract are only expected from the wrapped token contract. Hence, it would be good to restrict incoming fund transfers to prevent accidental native fund transfers from other sources.
https://github.com/code-423n4/2021-11-nested/blob/5d113967cdf7c9ee29802e1ecb176c656386fe9b/contracts/NestedFactory.sol#L66
None
receive() external payable { require(msg.sender == address(WETH), 'only wrapped eth'); }
This is untrue, some functions of the contract are payable and are expecting native token transfers. e.g. create or addtokens
create
addtokens
Dispute accepted.
Handle
defsec
Vulnerability details
Impact
Native fund transfers into the NestedFactory contract are only expected from the wrapped token contract. Hence, it would be good to restrict incoming fund transfers to prevent accidental native fund transfers from other sources.
Proof of Concept
Tools Used
None
Recommended Mitigation Steps