search

numotrade / numo

🤖 Smart contract suite for Numo.
https://docs.numo.trade
Other
0 stars 0 forks source link

Functions marked payable do not use msg.value field #11

Closed robertleifke closed 1 month ago

robertleifke commented 2 months ago

Description:

Several functions in the system, spanning multiple contracts, are marked with the payable modifier despite not using the msg.value field. This means a user may lose funds, thinking that they need to include ether in their transaction or by sending ether to these function calls.

  1. LiquidityManager.removeLiquidity
  2. LiquidityManager.collect
  3. SelfPermit.selfPermit
  4. SelfPermit.selfPermitAllowed
  5. Payment.unwrapETH
  6. Payment.sweepToken
  7. LendgineRouter.burn

Action items:

robertleifke commented 2 months ago

Recommendation:

Long term, ensure all functions that are intended to interact with ether are clearly marked and explicitly use the msg.value field. All functions that are not meant to take ether should not be payable.

robertleifke commented 1 month ago

Merge successful. Removed Payable Modifier.