search

code-423n4 / 2023-01-drips-findings

0 stars 2 forks source link

Locked Ether #308

Closed code423n4 closed 1 year ago

code423n4 commented 1 year ago

Lines of code

https://github.com/code-423n4/2023-01-drips/blob/main/src/Caller.sol#L144 https://github.com/code-423n4/2023-01-drips/blob/main/src/Caller.sol#L164 https://github.com/code-423n4/2023-01-drips/blob/main/src/Caller.sol#L193

Vulnerability details

Impact

Contract with a payable function, but without a withdrawal capacity.

Every Ether sent to Caller will be lost.

Proof of Concept

File: Caller.sol

    function callAs(address sender, address to, bytes memory data)
        public
        payable
        returns (bytes memory returnData)
    {
        require(isAuthorized(sender, _msgSender()), "Not authorized");
        return _call(sender, to, data, msg.value);
    }

 function callSigned(
        address sender,
        address to,
        bytes memory data,
        uint256 deadline,
        bytes32 r,
        bytes32 sv
    ) public payable returns (bytes memory returnData) {
        // slither-disable-next-line timestamp
        require(block.timestamp <= deadline, "Execution deadline expired");
        uint256 currNonce = nonce[sender]++;
        bytes32 executeHash = keccak256(
            abi.encode(
                callSignedTypeHash, sender, to, keccak256(data), msg.value, currNonce, deadline
            )
        );
        address signer = ECDSA.recover(_hashTypedDataV4(executeHash), r, sv);
        require(signer == sender, "Invalid signature");
        return _call(sender, to, data, msg.value);
    }

    function callBatched(Call[] memory calls) public payable returns (bytes[] memory returnData) {
        returnData = new bytes[](calls.length);
        address sender = _msgSender();
        for (uint256 i = 0; i < calls.length; i++) {
            Call memory call = calls[i];
            returnData[i] = _call(sender, call.to, call.data, call.value);
        }
    }

Tools Used

VS Code

Recommended Mitigation Steps

Remove the payable attribute or add a withdraw function.

GalloDaSballo commented 1 year ago

Closing as poor quality, technically you can lose value if you send too much, but this submission is missing the nuance

c4-judge commented 1 year ago

GalloDaSballo marked the issue as unsatisfactory: Insufficient quality