Funds sent to the Anchor contract are lost forever
The Anchor contract can receive native token but does not implement the means to withdraw or collect it, meaning all funds are stuck in the contract permanently
/// @notice This contract should be able to receive native token
receive() external payable {}
}
Vulnerability Detail
Anchors in the Allo protocol are associated with profiles and are accessible exclusively by the profile owner. The receive() function is called automatically when tokens are sent and msg.data is empty
Impact
This is a medium vulnerability that can lead to loss of funds sent to the contract
Most contracts that have receive() or fallback functions implement a withdraw() or recoverFunds() function to pull out the native tokens in the contract. This would fix the issue.
0xLeveler
false
Funds sent to the Anchor contract are lost forever
The Anchor contract can receive native token but does not implement the means to withdraw or collect it, meaning all funds are stuck in the contract permanently
Vulnerability Detail
Anchors in the Allo protocol are associated with profiles and are accessible exclusively by the profile owner. The
receive()
function is called automatically when tokens are sent andmsg.data
is emptyImpact
This is a medium vulnerability that can lead to loss of funds sent to the contract
Code Snippet
https://github.com/sherlock-audit/2023-09-Gitcoin/blob/main/allo-v2/contracts/core/Anchor.sol#L86-L88
Tool used
Manual Review
Recommendation
Most contracts that have receive() or fallback functions implement a
withdraw()
orrecoverFunds()
function to pull out the native tokens in the contract. This would fix the issue.