The RevenueStreamETH::receive function does not track native deposits thereby causing their loss within the contract.
Impact:
It is presently possible to transmit native funds to the RevenueStreamETH that will not be properly distributed, leading to fund loss.
Example:
/**
* @notice This method allows address(this) to receive ETH.
*/
receive() external payable {}
/**
* @notice This method is used to deposit ETH into the contract to be claimed by shareholders.
* @dev Can only be called by an address granted the `DEPOSITOR_ROLE`.
*/
function depositETH() payable external {
require(msg.sender == revenueDistributor, "RevenueStreamETH: Not authorized");
if (revenue[block.timestamp] == 0) {
cycles.push(block.timestamp);
revenue[currentCycle()] = msg.value;
}
else {
/// @dev In the event `depositETH` is called twice in the same second (though unlikely), dont push a new cycle.
/// Just add the value to the existing cycle.
revenue[block.timestamp] += msg.value;
}
emit RevenueDeposited(msg.value);
}
Recommendation:
We advise the code to either invoke the RevenueStreamETH::depositETH function, or to be omitted entirely so as to avoid accidental loss of funds.
chasebrownn
commented
5 months ago
RSE-02M: Untracked Native Fund Deposits
Description:
The
RevenueStreamETH::receivefunction does not track native deposits thereby causing their loss within the contract.Impact:
It is presently possible to transmit native funds to the
RevenueStreamETHthat will not be properly distributed, leading to fund loss.Example:
Recommendation:
We advise the code to either invoke the
RevenueStreamETH::depositETHfunction, or to be omitted entirely so as to avoid accidental loss of funds.