jeffywu
commented
2 years ago Sounds reasonable.
Closed code423n4 closed 2 years ago
jeffywu
commented
2 years ago Sounds reasonable.
gzeoneth
commented
2 years ago Downgrading to Low / QA.
gzeoneth
commented
2 years ago Consider with #96
Lines of code
https://github.com/code-423n4/2022-06-notional-coop/blob/main/notional-wrapped-fcash/contracts/wfCashLogic.sol#L298
Vulnerability details
Impact
_sendTokensToReceiver function is not checking that receiver is not the contract itself. If funds are sent to this contract then there is no way to withdraw them and they would get stuck in contract
Proof of Concept
User A redeem his fCash position using redeem function and accidentally provides the contract address as receiver
Contract receives the fund but now the fund is stuck with no way of withdrawal
Recommended Mitigation Steps
Make a new function which could allow Admin to withdraw any underlying/asset token if sent incorrectly to this contract.