Closed code423n4 closed 2 years ago
https://github.com/code-423n4/2022-05-rubicon/blob/main/contracts/peripheral_contracts/BathBuddy.sol#L69
BathBuddy has an empty receive function but there is no function to get the native asset out, thus it will be stuck in the contract forever. Release function for native token was present in VestingWallet but removed in BathBuddy: https://github.com/OpenZeppelin/openzeppelin-contracts/blob/release-v4.6/contracts/finance/VestingWallet.sol#L85-L89
Consider removing this function to prevent accidental loss of a native asset.
Duplicate of #78
bghughes
commented
2 years ago bghughes
commented
2 years ago
Lines of code
https://github.com/code-423n4/2022-05-rubicon/blob/main/contracts/peripheral_contracts/BathBuddy.sol#L69
Vulnerability details
Impact
BathBuddy has an empty receive function but there is no function to get the native asset out, thus it will be stuck in the contract forever. Release function for native token was present in VestingWallet but removed in BathBuddy: https://github.com/OpenZeppelin/openzeppelin-contracts/blob/release-v4.6/contracts/finance/VestingWallet.sol#L85-L89
Recommended Mitigation Steps
Consider removing this function to prevent accidental loss of a native asset.