search

code-423n4 / 2022-10-thegraph-findings

0 stars 0 forks source link

No withdraw mechanism for eth sent to GraphProxy contract #228

Closed code423n4 closed 1 year ago

code423n4 commented 1 year ago

Lines of code

https://github.com/code-423n4/2022-10-thegraph/blob/main/contracts/upgrades/GraphProxy.sol#L191-L201

Vulnerability details

Impact

The GraphProxy contract implements receive() and fallback() functions to receive funds. However, there is no method associated with a user to withdraw his funds which might be sent accidentally to the proxy contract, thus leading to most of the eth locked in the contract except in a case of selfdestruct.

Proof of Concept

fallback() external payable {
        _fallback();
    }

    /**
     * @dev Fallback function that delegates calls to implementation. Will run if call data
     * is empty.
     */
    receive() external payable {
        _fallback();
    }

Tools Used

Manual review

Recommended Mitigation Steps

A function to allow withdrawal of funds mistakenly sent to contract could be implemented.

0xean commented 1 year ago

This is the proxy that delegates these calls to the implementation

https://github.com/code-423n4/2022-10-thegraph/blob/309a188f7215fa42c745b136357702400f91b4ff/contracts/upgrades/GraphProxy.sol#L157