sherlock-audit / 2023-04-unitasprotocol-judging

4 stars 3 forks source link

PRAISE - There's no function to withdraw ETH received via receive() function, ETH can be stuck in TimelockController.sol #91

Closed sherlock-admin closed 1 year ago

sherlock-admin commented 1 year ago

PRAISE

high

There's no function to withdraw ETH received via receive() function, ETH can be stuck in TimelockController.sol

Summary

no function to pull out ETH received via the receive() function

Vulnerability Detail

When designing smart contracts that receive ETH through the receive() function, it is essential to include a withdrawal function to pull out that received ETH.

Without a withdrawal function, ETH received through the receive() function may become trapped within the contract. This situation can arise due to unexpected behavior or limitations of the contract's logic. By incorporating a withdrawal function, users can ensure that funds are not unintentionally left within the contract, providing a safety net against stuck or stranded funds.

Impact

ETH can be stuck in the TimelockController.sol contract.

Code Snippet

https://github.com/sherlock-audit/2023-04-unitasprotocol/blob/main/Unitas-Protocol/src/TimelockController.sol#L117C1-L119

Tool used

Manual Review

Recommendation

add a withdraw() function, so as to ensure that the sent ETH is withdrawable to avoid stuck funds.