search

sherlock-audit / 2023-12-avail-judging

4 stars 4 forks source link

Anubis - Unchecked Return Value for ETH Transfers in receiveETH #58

Closed sherlock-admin2 closed 8 months ago

sherlock-admin2 commented 8 months ago

Anubis

medium

Unchecked Return Value for ETH Transfers in receiveETH

Summary

The return value of the ETH transfer in receiveETH is not checked, which might lead to unnoticed failures.

Vulnerability Detail

In the function receiveETH, ETH is sent to an address using call. Although the success of the call is stored in a variable (success), it's not checked or acted upon. This means the function will not revert or otherwise react if the ETH transfer fails.

Impact

The failure of the ETH transfer is silent, which can lead to discrepancies in the contract's state or accounting, as the contract might assume the transfer was successful when it was not.

Code Snippet

https://github.com/sherlock-audit/2023-12-avail/blob/main/contracts/src/AvailBridge.sol#L259

Tool used

Manual Review

Recommendation

Always check the return value of the low-level call and revert the transaction if the call was not successful to ensure that the contract state remains consistent.

(bool success,) = dest.call{value: value}("");
require(success, "ETH transfer failed");
sherlock-admin commented 8 months ago

2 comment(s) were left on this issue during the judging contest.

tsvetanovv commented:

Invalid. The returned value is checked

takarez commented:

invalid because {invalid: the return value was checked "if (!success)"}