Closed code423n4 closed 2 years ago
Jujic
There doesn't seem to be a use case for the existence of the receive() function. In fact, I will recommend removing it as it will prevent accidental native token transfers to the contract.
https://github.com/livepeer/arbitrum-lpt-bridge/blob/ebf68d11879c2798c5ec0735411b08d0bea4f287/contracts/L2/gateway/L2Migrator.sol#L235
receive() external payable {}
Remix
Remove the receive() function.
The L2Migrator needs to have receive() so it can receive ETH from the L1Migrator via migrateETH().
receive()
migrateETH()
This is intended behaviour, marking as invalid.
invalid
Handle
Jujic
Vulnerability details
Impact
There doesn't seem to be a use case for the existence of the receive() function. In fact, I will recommend removing it as it will prevent accidental native token transfers to the contract.
Proof of Concept
https://github.com/livepeer/arbitrum-lpt-bridge/blob/ebf68d11879c2798c5ec0735411b08d0bea4f287/contracts/L2/gateway/L2Migrator.sol#L235
Tools Used
Remix
Recommended Mitigation Steps
Remove the receive() function.