c4-bot-8 commented 6 months ago

Lines of code

https://github.com/code-423n4/2024-02-wise-lending/blob/main/contracts/PowerFarms/PendlePowerFarm/PendlePowerManager.sol#L17-L29

Vulnerability details

Impact

In all other contracts in the protocol, we can see that the receive function looks like this:

    /**
     * @dev Standard receive functions forwarding
     * directly send ETH to the master address.
     */
    receive()
        external
        payable
    {
        if (msg.sender == WETH_ADDRESS) {
            return;
        }

        _sendValue(
            master,
            msg.value
        );
    }

This function gathers the ether sent to the contract without data and sends it to the master address. However, if we look at the PendlePowerManager, the comment says exactly the same but it only emits an event.

    /**
     * @dev Standard receive functions forwarding
     * directly send ETH to the master address.
     */
    receive()
        external
        payable
    {
        emit ETHReceived(
            msg.value,
            msg.sender
        );
    }

In this case the money is kept in the contract but there is no function to transfer it out. I guess that the contract needed the receive function open for the WETH contract interaction and some other things but it could be implemented just as other contract do. Check the sender to be one of the whitelisted contracts, if not, transfer the funds out to the master address or to the sender.

Tools Used

Manual review

Recommended Mitigation Steps

    /**
     * @dev Standard receive functions forwarding
     * directly send ETH to the master address.
     */
    receive()
        external
        payable
    {
        if (msg.sender == WETH_ADDRESS) {
            return;
        }

        _sendValue(
            master,
            msg.value
        );
    }

Assessed type

ETH-Transfer