The rescueETH function is implemented to collect any unexpected ETH transferred to the infinityExchange.sol contract, But this function will not work as expected.
The function is supposed to return the eth from the contract to the specified destination address, but it transfers only the amount of ETH send by the caller as msg.value is used here.
/// @dev used for rescuing exchange fees paid to the contract in ETH
function rescueETH(address destination) external payable onlyOwner {
(bool sent, ) = destination.call{value: msg.value}('');
require(sent, 'failed');
}
use address(this).balance or custom amount specified by the caller for rescuing ETH.
/// @dev used for rescuing exchange fees paid to the contract in ETH
function rescueETH(address destination) external payable onlyOwner {
(bool sent, ) = destination.call{value: address(this).balance}('');
require(sent, 'failed');
}
Or,
/// @dev used for rescuing exchange fees paid to the contract in ETH
function rescueETH(address destination, uint256 amount) external payable onlyOwner {
(bool sent, ) = destination.call{value: amount}('');
require(sent, 'failed');
}
Lines of code
https://github.com/code-423n4/2022-06-infinity/blob/main/contracts/core/InfinityExchange.sol#L1230 https://github.com/code-423n4/2022-06-infinity/blob/main/contracts/staking/InfinityStaker.sol#L344-L348
Vulnerability details
Impact
The
rescueETH
function is implemented to collect any unexpected ETH transferred to theinfinityExchange.sol
contract, But this function will not work as expected. The function is supposed to return the eth from the contract to the specified destination address, but it transfers only the amount of ETH send by the caller asmsg.value
is used here.Proof of Concept
In InfinityExchange.sol#L1230
Also in InfinityStaker.sol#L344-L348
Recommended Mitigation Steps
use
address(this).balance
or custom amount specified by the caller for rescuing ETH.Or,