Closed code423n4 closed 2 years ago
Note: it may also be possible to simply remove the payable receive method here. Worth handling either way.
Duplicate of #67
Anyone can "accidentally" transfer ETH to a contract. Downgrading to QA
.
There is no path of exploit so this issue is really just a best practice.
Merging with #263.
Lines of code
https://github.com/code-423n4/2022-06-connext/blob/b4532655071566b33c41eac46e75be29b4a381ed/contracts/contracts/core/promise/PromiseRouter.sol#L132
Vulnerability details
Issue: a relayer or other component can send ETH to PromiseRouter.sol by mistake.
Consequences: this will lead to loss of funds since there is no function to withdraw the ETH.
Affected Code
Recommended Mitigation Steps
Add a withdrawEth function, where onlyOwner can withdraw ETH that is not part of the fees.