c4-judge
commented
1 year ago hansfriese marked the issue as satisfactory
Open code423n4 opened 1 year ago
c4-judge
commented
1 year ago hansfriese marked the issue as satisfactory
c4-judge
commented
1 year ago hansfriese marked the issue as primary issue
TimTinkers
commented
1 year ago This has nothing to do with the staker functioning correctly, and is a QA issue at best.
c4-sponsor
commented
1 year ago TimTinkers marked the issue as sponsor disputed
c4-judge
commented
1 year ago hansfriese changed the severity to QA (Quality Assurance)
c4-judge
commented
1 year ago hansfriese marked the issue as grade-b
c4-sponsor
commented
1 year ago TimTinkers marked the issue as sponsor acknowledged
c4-judge
commented
1 year ago hansfriese marked the issue as grade-a
Lines of code
https://github.com/code-423n4/2023-03-neotokyo/blob/dfa5887062e47e2d0c801ef33062d44c09f6f36e/contracts/staking/BYTES2.sol#L34
Vulnerability details
Impact
Tokens sent to the BYTES2 contract address will be blocked forever.
Proof of Concept
We can see in the example of BYTES https://etherscan.io/address/0x7d647b1A0dcD5525e9C6B3D14BE58f27674f8c95 that users block more than 5,000 $ on contract. This happens often on most projects. Users do not check the address that was inserted when sending and sending funds to the token address. There are no methods of obtaining blocked funds
Tools Used
Manual review
Recommended Mitigation Steps
Add a method for getting locked ERC20/ERC721 from BYTES2 contract