Having the payable modifier means the function/contract can receive ether. When a contract can receive ether, there needs to be a withdraw function to withdraw the ether otherwise the eth is stuck in the contract forever.
Impact
When during initialization, the caller accidently sends eth to the contract, the eth is stuck forever in the contract.
Code Snippet
constructor() payable initializer {
_HatsOwned_init(1, address(0x1));
}
function setUp(bytes calldata initializeParams) public payable override initializer {
descharre
medium
Payable functions but no way to withdraw the eth.
Summary
The function _setUp() in HatsSignerGateBase and MultiHatsSignerGate and also the constructor in HatsSignerGateBase all have the payable modifier.
Vulnerability Detail
Having the payable modifier means the function/contract can receive ether. When a contract can receive ether, there needs to be a withdraw function to withdraw the ether otherwise the eth is stuck in the contract forever.
Impact
When during initialization, the caller accidently sends eth to the contract, the eth is stuck forever in the contract.
Code Snippet
Tool used
Manual Review
Recommendation
Remove the modifier payable