Any Ether sent to the protocol can not be recovered. Therefore, the ether stuck permanently in the contract (e.g. Astaria Router). Ether is not used in the protocol. However, many functions can still receive ether (have payable keyword).
Proof of Concept
Check the following functions in AstariaRouter:
mint
deposit
redeem
withdraw
pullToken
multicall (inherited from ERC4626RouterBase)
Tools Used
Manual analysis
Recommended Mitigation Steps
As you cannot remove payable from multicall (since it is a lib). Easiest would be to check if msg.value equals zero. otherwise, revert.
Another possibility is to add a function to rescue ether that's sent to the contract.
c4-judge
commented
1 year ago
Lines of code
https://github.com/code-423n4/2023-01-astaria/blob/main/src/AstariaRouter.sol#L130 https://github.com/code-423n4/2023-01-astaria/blob/main/src/AstariaRouter.sol#L146 https://github.com/code-423n4/2023-01-astaria/blob/main/src/AstariaRouter.sol#L162 https://github.com/code-423n4/2023-01-astaria/blob/main/src/AstariaRouter.sol#L178 https://github.com/code-423n4/2023-01-astaria/blob/main/src/AstariaRouter.sol#L207
Vulnerability details
Impact
Any Ether sent to the protocol can not be recovered. Therefore, the ether stuck permanently in the contract (e.g. Astaria Router). Ether is not used in the protocol. However, many functions can still receive ether (have payable keyword).
Proof of Concept
Check the following functions in AstariaRouter:
Tools Used
Manual analysis
Recommended Mitigation Steps
As you cannot remove payable from multicall (since it is a lib). Easiest would be to check if msg.value equals zero. otherwise, revert.
Another possibility is to add a function to rescue ether that's sent to the contract.