Closed sherlock-admin closed 1 year ago
w42d3n
medium
The contract Carousel.sol has a payable depositETH() function to allow users to deposit Ethers.
However there is no receive() or fallback() function to handle native tokens.
Ether sent to contract | msg.data empty ? / \ yes no / \ receive() exists? fallback() / \ yes no / \ receive() fallback()
Ethers will be locked in the contract, users will lost funds
https://github.com/sherlock-audit/2023-03-Y2K/blob/main/Earthquake/src/v2/Carousel/Carousel.sol#L101-L118
function depositETH(uint256 _id, address _receiver) external payable override(VaultV2) minRequiredDeposit(msg.value) epochIdExists(_id) epochHasNotStarted(_id) nonReentrant { if (!isWETH) revert CanNotDepositETH(); if (_receiver == address(0)) revert AddressZero(); IWETH(address(asset)).deposit{value: msg.value}(); uint256 assets = msg.value; _deposit(_id, assets, _receiver); }
Manual Review
Add a receive or fallback function as below:
receive() external payable {}
w42d3n
medium
Carousel.sol: Ethers will be locked
Summary
The contract Carousel.sol has a payable depositETH() function to allow users to deposit Ethers.
Vulnerability Detail
However there is no receive() or fallback() function to handle native tokens.
Impact
Ethers will be locked in the contract, users will lost funds
Code Snippet
https://github.com/sherlock-audit/2023-03-Y2K/blob/main/Earthquake/src/v2/Carousel/Carousel.sol#L101-L118
Tool used
Manual Review
Recommendation
Add a receive or fallback function as below: