All Ether sent to LSP0ERC725Account will be permanently locked because it inherits the receive function from the LSP0ERC725AccountCore contract but does not have a withdraw function.
Proof of Concept
All Ether sent to LSP0ERC725Account will be permanently locked because it inherits the receive function from the LSP0ERC725AccountCore contract but does not have a withdraw function.
contract LSP0ERC725Account is LSP0ERC725AccountCore {
abstract contract LSP0ERC725AccountCore is
ERC725XCore,
ERC725YCore,
IERC1271,
ILSP0ERC725Account,
ILSP1UniversalReceiver,
LSP14Ownable2Step,
LSP17Extendable,
LSP20CallVerification
{
...//ommitted code
receive() external payable virtual {//@audit can receive ether but no withdraw.
if (msg.value != 0) {
emit ValueReceived(msg.sender, msg.value);
}
}
...//omitted code
Tools Used
Manual Review
Recommended Mitigation Steps
Consider adding a withdraw function to the LSP0ERC725Account contract or the LSP0ERC725AccountCore contract.
Lines of code
https://github.com/code-423n4/2023-06-lukso/blob/9dbc96410b3052fc0fd9d423249d1fa42958cae8/contracts/LSP0ERC725Account/LSP0ERC725AccountCore.sol#L117
Vulnerability details
Impact
All Ether sent to LSP0ERC725Account will be permanently locked because it inherits the
receive
function from the LSP0ERC725AccountCore contract but does not have a withdraw function.Proof of Concept
All Ether sent to LSP0ERC725Account will be permanently locked because it inherits the
receive
function from the LSP0ERC725AccountCore contract but does not have a withdraw function.Tools Used
Manual Review
Recommended Mitigation Steps
Consider adding a withdraw function to the LSP0ERC725Account contract or the LSP0ERC725AccountCore contract.
Assessed type
ETH-Transfer