HickupHH3
commented
2 years ago ETH can accidentally be sent to a contract that rejects the transfer because the sent value returned by address(_to).call{value: receivedETHAmount}(''); is not actually checked. https://github.com/code-423n4/2022-05-sturdy/blob/main/smart-contracts/LidoVault.sol#L140-L142 On line 140 a call is made to transfer ETH (bool sent, bytes memory data) = address(_to).call{value: receivedETHAmount}(''); Then on line 141 receivedETHAmount is returned. And on line 142 the sending of ETH is checked.
Recommended Mitigation Steps To fix this, line 141 and line 142 should be swapped.
Judge has assessed an item in Issue #63 as High risk. The relevant finding follows: