search

sherlock-audit / 2023-09-Gitcoin-judging

11 stars 7 forks source link

0xLeveler - Funds sent to the Anchor contract are lost forever #979

Closed sherlock-admin2 closed 11 months ago

sherlock-admin2 commented 11 months ago

0xLeveler

false

Funds sent to the Anchor contract are lost forever

The Anchor contract can receive native token but does not implement the means to withdraw or collect it, meaning all funds are stuck in the contract permanently

  /// @notice This contract should be able to receive native token
    receive() external payable {}
}

Vulnerability Detail

Anchors in the Allo protocol are associated with profiles and are accessible exclusively by the profile owner. The receive() function is called automatically when tokens are sent and msg.data is empty

Impact

This is a medium vulnerability that can lead to loss of funds sent to the contract

Code Snippet

https://github.com/sherlock-audit/2023-09-Gitcoin/blob/main/allo-v2/contracts/core/Anchor.sol#L86-L88

Tool used

Manual Review

Recommendation

Most contracts that have receive() or fallback functions implement a withdraw() or recoverFunds() function to pull out the native tokens in the contract. This would fix the issue.

sherlock-admin commented 11 months ago

1 comment(s) were left on this issue during the judging contest.

n33k commented:

invalid, user's fault