The linked receive / fallback function performs no sanitization as to its caller and no function within the contract expects funds to have been received directly by the contract.
Impact:
Any native funds accidentally sent to the contract may be forever locked.
Example:
receive() external payable {}
Recommendation:
We advise the code to properly prohibit accidental native assets from being permanently locked in the contract by introducing a require check restricting the msg.sender to the contract(s) expected to transfer assets to the system (i.e. in case of a wrapped native version of an asset, only the WXXX contract address should be allowed). Alternatively, if the contract is not expected to receive native assets directly the function should be removed in its entirety.
chasebrownn
commented
5 months ago
EIW-02S: Potential Lock of Native Assets
Description:
The linked
receive/fallbackfunction performs no sanitization as to its caller and no function within the contract expects funds to have been received directly by the contract.Impact:
Any native funds accidentally sent to the contract may be forever locked.
Example:
Recommendation:
We advise the code to properly prohibit accidental native assets from being permanently locked in the contract by introducing a
requirecheck restricting themsg.senderto the contract(s) expected to transfer assets to the system (i.e. in case of a wrapped native version of an asset, only theWXXXcontract address should be allowed). Alternatively, if the contract is not expected to receive native assets directly the function should be removed in its entirety.