search

code-423n4 / 2022-06-connext-findings

1 stars 0 forks source link

loss of funds due to accidental transfer of ETH #269

Closed code423n4 closed 2 years ago

code423n4 commented 2 years ago

Lines of code

https://github.com/code-423n4/2022-06-connext/blob/b4532655071566b33c41eac46e75be29b4a381ed/contracts/contracts/core/promise/PromiseRouter.sol#L132

Vulnerability details

Issue: a relayer or other component can send ETH to PromiseRouter.sol by mistake.

Consequences: this will lead to loss of funds since there is no function to withdraw the ETH.

Affected Code

File: PromiseRouter.sol
131:   // ======== Receive =======
132:   receive() external payable {}

Recommended Mitigation Steps

Add a withdrawEth function, where onlyOwner can withdraw ETH that is not part of the fees.

jakekidd commented 2 years ago

Note: it may also be possible to simply remove the payable receive method here. Worth handling either way.

LayneHaber commented 2 years ago

Duplicate of #67

0xleastwood commented 1 year ago

Anyone can "accidentally" transfer ETH to a contract. Downgrading to QA.

0xleastwood commented 1 year ago

There is no path of exploit so this issue is really just a best practice.

0xleastwood commented 1 year ago

Merging with #263.