search

code-423n4 / 2022-06-putty-findings

5 stars 0 forks source link

Locked funds :has payable function, but no withdrawal functionality. Therefore, the funds will be locked in contract. #355

Closed code423n4 closed 2 years ago

code423n4 commented 2 years ago

Lines of code

https://github.com/code-423n4/2022-06-putty/blob/main/contracts/test/unit/Exercise.t.sol#L19 https://github.com/code-423n4/2022-06-putty/blob/main/contracts/test/unit/Cancel.t.sol#L14 https://github.com/code-423n4/2022-06-putty/blob/main/contracts/test/unit/Exercise.t.sol#L19

Vulnerability details

Impact

Contract has a payable function (via receive function) , but without withdrawal capacity. Therefore, ether sent to these particular contracts will be lost.

Proof of Concept

Ex:

pragma solidity 0.6; contract LockedEth{ function receive() payable public{ } }

references:

https://github.com/crytic/slither/wiki/Detector-Documentation#contracts-that-lock-ether

Tools Used

Hardhat,truffle,remix

Recommended Mitigation Steps

Payable functions can be removed or a withdraw function can be added.

rotcivegaf commented 2 years ago

Out of scope

HickupHH3 commented 2 years ago

Test contracts, OOS