search

code-423n4 / 2023-05-ajna-findings

2 stars 0 forks source link

THE `executeExtraordinary` function transfers ETH but lack `payable` keyword #411

Closed code423n4 closed 1 year ago

code423n4 commented 1 year ago

Lines of code

https://github.com/code-423n4/2023-05-ajna/blob/276942bc2f97488d07b887c8edceaaab7a5c3964/ajna-grants/src/grants/base/ExtraordinaryFunding.sol#L56

Vulnerability details

Impact

The executeExtraordinary of the ExtraordinaryFunding.sol file transfers value_ but does not have the payable keyword. The executeExtraordinary is supposed to be able to accept Ether denoted by value_ argument but lacks the payable keyword so every transaction with ETH to the executeExtraordinary will revert.

Proof of Concept

The executeExtraordinary function calls the _execute which implements the call function with value but the executeExtraordinary lacks the payable keyword which will make every call to executeExtraordinary with Ether to revert.

https://github.com/code-423n4/2023-05-ajna/blob/276942bc2f97488d07b887c8edceaaab7a5c3964/ajna-grants/src/grants/base/ExtraordinaryFunding.sol#L56 https://github.com/code-423n4/2023-05-ajna/blob/276942bc2f97488d07b887c8edceaaab7a5c3964/ajna-grants/src/grants/base/ExtraordinaryFunding.sol#L81

Tools Used

Manual Review

Recommended Mitigation Steps

Add payable keyword to the executeExtraordinary function of the ExtraordinaryFunding.sol file.

Assessed type

Payable

c4-judge commented 1 year ago

Picodes marked the issue as duplicate of #280

c4-judge commented 1 year ago

Picodes marked the issue as partial-25

Picodes commented 1 year ago

This could be used to DoS the system but no impact is described in this report

c4-judge commented 1 year ago

Picodes changed the severity to QA (Quality Assurance)

c4-judge commented 1 year ago

Picodes marked the issue as grade-c