Closed code423n4 closed 2 years ago
https://github.com/code-423n4/2022-05-sturdy/blob/78f51a7a74ebe8adfd055bdbaedfddc05632566f/smart-contracts/LidoVault.sol#L141-L142
Sending ETH to LIDO can fail makes a return without checking the sent variable
sent
(bool sent, bytes memory data) = address(_to).call{value: receivedETHAmount}(''); return receivedETHAmount; require(sent, Errors.VT_COLLATERAL_WITHDRAW_INVALID);
Imagine that sent is false, then it will return receivedETHAmount but no ETH was received.
Manual review
Change
For
(bool sent, bytes memory data) = address(_to).call{value: receivedETHAmount}(''); require(sent, Errors.VT_COLLATERAL_WITHDRAW_INVALID); return receivedETHAmount;
I think this issue was submitted to the wrong contest
Lines of code
https://github.com/code-423n4/2022-05-sturdy/blob/78f51a7a74ebe8adfd055bdbaedfddc05632566f/smart-contracts/LidoVault.sol#L141-L142
Vulnerability details
Impact
Sending ETH to LIDO can fail makes a return without checking the
sent
variableProof of Concept
Imagine that sent is false, then it will return receivedETHAmount but no ETH was received.
Tools Used
Manual review
Recommended Mitigation Steps
Change
For