search

code-423n4 / 2023-01-numoen-findings

0 stars 0 forks source link

refundETH FUNCTION CAN BE CALLED BY ANYONE #148

Closed code423n4 closed 1 year ago

code423n4 commented 1 year ago

Lines of code

https://github.com/code-423n4/2023-01-numoen/blob/2ad9a73d793ea23a25a381faadc86ae0c8cb5913/src/periphery/Payment.sol#L45

Vulnerability details

Impact

Anyone could call the refundETH function to take all the ETH in this contract.

Proof of Concept

https://github.com/code-423n4/2023-01-numoen/blob/2ad9a73d793ea23a25a381faadc86ae0c8cb5913/src/periphery/Payment.sol#L45

  function refundETH() external payable {
    if (address(this).balance > 0) SafeTransferLib.safeTransferETH(msg.sender, address(this).balance);
  }

It seems that this refundETH function doesn't check the msg.sneder, anyone could call this function get the balance of this contract

Tools Used

-

Recommended Mitigation Steps

I think you could add a check to msg.sender

This is the first time I have submitted the report, Please forgive me if this is not a real bug :)

berndartmueller commented 1 year ago

The Payment abstract utility contract is only used by the LendgineRouter and the LiquidityManager contracts, which both do not intend to hold any token funds directly.

If there's leftover WETH in those two contracts, it's not systematic and only because a previous user mistakenly transferred the incorrect amount or called the removeLiquidity with address(0) as the to address. This issue is a result of a user error.

Additionally, the protocol is permissionless, there's no contract owner.

Closing as invalid.

c4-judge commented 1 year ago

berndartmueller marked the issue as unsatisfactory: Invalid