Closed code423n4 closed 1 year ago
user mistake
QA might be more appropriate.
Keref marked the issue as sponsor disputed
Internal function calls don't need to pass tx parameters around. msg.value is still set in deposit. This isn't an external call
gzeon-c4 marked the issue as unsatisfactory: Invalid
Lines of code
https://github.com/code-423n4/2023-08-goodentry/blob/main/contracts/GeVault.sol#L463
Vulnerability details
Impact
ETH sent to the
GeVault
would be reverted.Proof of Concept
GeVault
implementsrecieve payable
to wrap any eth sent directly into the contracts but fails to send themsg.value
following the call todeposit
, this causes the call to attempt to transfer token frommsg.sender
instead of depositing/wrapping ETH.When ETH is sent to the contract is attempt to deposit.
But since the
msg.value
is not pass to the call to deposit it would be zero and would attempt to transferFrom rather than wrapping the ETH.Tools Used
Manual Review
Recommended Mitigation Steps
Pass the
msg.value
to the call todeposit
Assessed type
ETH-Transfer