search

code-423n4 / 2022-06-putty-findings

5 stars 0 forks source link

Payable admin functions #338

Open code423n4 opened 2 years ago

code423n4 commented 2 years ago

Lines of code

https://github.com/code-423n4/2022-06-putty/blob/3b6b844bc39e897bd0bbb69897f2deff12dc3893/contracts/src/PuttyV2.sol#L228 https://github.com/code-423n4/2022-06-putty/blob/3b6b844bc39e897bd0bbb69897f2deff12dc3893/contracts/src/PuttyV2.sol#L240

Vulnerability details

Impact

Admins may accidentally lose ETH.

Proof of Concept

There are some admin functions using payable keyword. As the contract has no way to retrieve ETH those funds will be locked forever.

function setBaseURI(string memory _baseURI) public payable onlyOwner {

function setFee(uint256 _fee) public payable onlyOwner{

Recommended Mitigation Steps

Remove payable from those functions

rotcivegaf commented 2 years ago

Duplicate of #259

outdoteth commented 2 years ago

payable is added to reduce gas costs.

HickupHH3 commented 2 years ago

Warden has no QA report