c4-judge
commented
1 year ago GalloDaSballo marked the issue as unsatisfactory: Invalid
Closed c4-submissions closed 1 year ago
c4-judge
commented
1 year ago GalloDaSballo marked the issue as unsatisfactory: Invalid
c4-judge
commented
1 year ago GalloDaSballo removed the grade
c4-judge
commented
1 year ago GalloDaSballo changed the severity to QA (Quality Assurance)
0xfoobar
commented
1 year ago This is wrong, eth is passed along in the callback here: https://github.com/code-423n4/2023-09-delegate/blob/main/src/libraries/DelegateTokenLib.sol#L92
c4-sponsor
commented
1 year ago 0xfoobar (sponsor) disputed
c4-judge
commented
1 year ago GalloDaSballo marked the issue as grade-c
Lines of code
https://github.com/code-423n4/2023-09-delegate/blob/a6dbac8068760ee4fc5bababb57e3fe79e5eeb2e/src/DelegateToken.sol#L389
Vulnerability details
DelegateToken.flashloanfunction is marked aspayablewhich means it can receive Ether during its execution. However, there is no mechanism in the function to handle or refund the received ETH. If a user accidentally sends ETH along with the function call, the ETH will be locked in the contract forever, leading to a loss of funds. It's can be avoided by removing thepayablemarker if the function is not intended to receive ETH.Assessed type
Payable