c4-judge
commented
11 months ago GalloDaSballo marked the issue as unsatisfactory: Invalid
Closed c4-submissions closed 10 months ago
c4-judge
commented
11 months ago GalloDaSballo marked the issue as unsatisfactory: Invalid
c4-judge
commented
11 months ago GalloDaSballo removed the grade
c4-judge
commented
11 months ago GalloDaSballo changed the severity to QA (Quality Assurance)
0xfoobar
commented
11 months ago This is wrong, eth is passed along in the callback here: https://github.com/code-423n4/2023-09-delegate/blob/main/src/libraries/DelegateTokenLib.sol#L92
c4-sponsor
commented
11 months ago 0xfoobar (sponsor) disputed
c4-judge
commented
10 months ago GalloDaSballo marked the issue as grade-c
Lines of code
https://github.com/code-423n4/2023-09-delegate/blob/a6dbac8068760ee4fc5bababb57e3fe79e5eeb2e/src/DelegateToken.sol#L389
Vulnerability details
DelegateToken.flashloanfunction is marked aspayablewhich means it can receive Ether during its execution. However, there is no mechanism in the function to handle or refund the received ETH. If a user accidentally sends ETH along with the function call, the ETH will be locked in the contract forever, leading to a loss of funds. It's can be avoided by removing thepayablemarker if the function is not intended to receive ETH.Assessed type
Payable