search

code-423n4 / 2023-01-numoen-findings

0 stars 0 forks source link

Anyone can withdraw contract funds #269

Closed code423n4 closed 1 year ago

code423n4 commented 1 year ago

Lines of code

https://github.com/code-423n4/2023-01-numoen/blob/2ad9a73d793ea23a25a381faadc86ae0c8cb5913/src/periphery/Payment.sol#L44

Vulnerability details

Impact

There is a critical impact that an attacker could drain the entire eth balance of the contract by calling this refundETH function which lacks a modifier. The funds will go always to the caller of the function.

Proof of Concept

It is not a complex attack so these are the steps to reproduce it:

Identify the vulnerable function Check if the balance of the contract Payment is > 0 Call the refundETH function and get the ether to your wallet/sc the caller of the function.

Tools Used

manual

Recommended Mitigation Steps

Add a onlyOwner modifier to mitigate the risks and control who can call the fucntion

berndartmueller commented 1 year ago

ETH is not used within the contracts. Instead, wrapped ETH (WETH) is used. Any accidentally sent ETH by users to any of the payable functions is considered user-error.

Closing as invalid.

c4-judge commented 1 year ago

berndartmueller marked the issue as unsatisfactory: Invalid