Locked ether in CollectionShutdown due to incorrect implementation of receive() function
Summary
This is an error from the category: Contract can receive ether, but cannot withdraw it. Funds that were received by the contract not from registered sudoswap pools remain on it without the possibility of being withdrawn.
Thus, native tokens remain locked in the contract and disappear from general circulation.
The contract does not revert funds received from unregistered Sudoswap pools. Consequently, it does not add them to availableClaim.
The only way to withdraw native tokens from the contract is to use one's availableClaim in the claim and voteAndClaim functions. Thus, the received funds for which availableClaim is not recorded remain locked in the contract.
In general, the logic of the contract and the protocol as a whole does not intend for CollectionShutdown to receive native tokens from any addresses other than Sudoswap pools.
Impact
Medium Risk - Possible loss or lock of funds that protocol can withdraw for themself.
almantare
Medium
Locked ether in CollectionShutdown due to incorrect implementation of receive() function
Summary
This is an error from the category: Contract can receive ether, but cannot withdraw it. Funds that were received by the contract not from registered sudoswap pools remain on it without the possibility of being withdrawn.
Thus, native tokens remain locked in the contract and disappear from general circulation.
Examples of such errors:
[1](https://solodit.xyz/issues/m-06-possible-locked-ether-funds-issue-in-rcorderbooksol-code4rena-reality-cards-reality-cards-contest-git), [2](https://solodit.xyz/issues/m-03-contract-can-receive-eth-but-has-no-withdraw-function-for-it-pashov-none-moleculevesting-markdown)
Vulnerability Detail
The contract does not revert funds received from unregistered Sudoswap pools. Consequently, it does not add them to availableClaim.
The only way to withdraw native tokens from the contract is to use one's availableClaim in the
claimandvoteAndClaimfunctions. Thus, the received funds for which availableClaim is not recorded remain locked in the contract.In general, the logic of the contract and the protocol as a whole does not intend for
CollectionShutdownto receive native tokens from any addresses other than Sudoswap pools.Impact
Medium Risk - Possible loss or lock of funds that protocol can withdraw for themself.
Code Snippet
https://github.com/sherlock-audit/2024-08-flayer/blob/main/flayer/src/contracts/utils/CollectionShutdown.sol#L529-L539
Tool used
Manual Review
Recommendation
Revert in else case in receive() or add withdraw onlyOwner function