code-423n4 / 2023-03-aragon-findings

0 stars 0 forks source link

Funds in DAO contract cannot be withdrawn #186

Closed code423n4 closed 1 year ago

code423n4 commented 1 year ago

Lines of code

https://github.com/code-423n4/2023-03-aragon/blob/main/packages/contracts/src/core/dao/DAO.sol#L218-L236

Vulnerability details

Impact

The DAO contract can receive funds but can not withdraw, Funds occasionally sent by users will be stuck in those contracts.

Proof of Concept

Receive funds through deposit function in DAO.sol#L218-L236

/// @inheritdoc IDAO
function deposit(
    address _token,
    uint256 _amount,
    string calldata _reference
) external payable override {

And through receive function in DAO.sol#L263-L265

receive() external payable {
    emit NativeTokenDeposited(msg.sender, msg.value);
}

Tools Used

Code review

Recommended Mitigation Steps

Add a withdraw function

c4-judge commented 1 year ago

0xean marked the issue as unsatisfactory: Insufficient quality