Closed code423n4 closed 1 year ago
https://github.com/code-423n4/2023-01-drips/blob/main/src/Caller.sol#L144 https://github.com/code-423n4/2023-01-drips/blob/main/src/Caller.sol#L164 https://github.com/code-423n4/2023-01-drips/blob/main/src/Caller.sol#L193
Contract with a payable function, but without a withdrawal capacity.
payable
Every Ether sent to Caller will be lost.
File: Caller.sol function callAs(address sender, address to, bytes memory data) public payable returns (bytes memory returnData) { require(isAuthorized(sender, _msgSender()), "Not authorized"); return _call(sender, to, data, msg.value); } function callSigned( address sender, address to, bytes memory data, uint256 deadline, bytes32 r, bytes32 sv ) public payable returns (bytes memory returnData) { // slither-disable-next-line timestamp require(block.timestamp <= deadline, "Execution deadline expired"); uint256 currNonce = nonce[sender]++; bytes32 executeHash = keccak256( abi.encode( callSignedTypeHash, sender, to, keccak256(data), msg.value, currNonce, deadline ) ); address signer = ECDSA.recover(_hashTypedDataV4(executeHash), r, sv); require(signer == sender, "Invalid signature"); return _call(sender, to, data, msg.value); } function callBatched(Call[] memory calls) public payable returns (bytes[] memory returnData) { returnData = new bytes[](calls.length); address sender = _msgSender(); for (uint256 i = 0; i < calls.length; i++) { Call memory call = calls[i]; returnData[i] = _call(sender, call.to, call.data, call.value); } }
VS Code
Remove the payable attribute or add a withdraw function.
Closing as poor quality, technically you can lose value if you send too much, but this submission is missing the nuance
GalloDaSballo marked the issue as unsatisfactory: Insufficient quality
Lines of code
https://github.com/code-423n4/2023-01-drips/blob/main/src/Caller.sol#L144 https://github.com/code-423n4/2023-01-drips/blob/main/src/Caller.sol#L164 https://github.com/code-423n4/2023-01-drips/blob/main/src/Caller.sol#L193
Vulnerability details
Impact
Contract with a
payable
function, but without a withdrawal capacity.Every Ether sent to Caller will be lost.
Proof of Concept
Tools Used
VS Code
Recommended Mitigation Steps
Remove the payable attribute or add a withdraw function.