Unintended tokens Locked in Contract
Funds (Ether or tokens) could be locked in the contract if they are directly sent to the contract's address without a corresponding function call.
Vulnerability Detail
In Ethereum, when Ether is sent to an address without data, it's equivalent to calling a fallback function on a contract located at that address. If the fallback function does not have the functionality to handle incoming Ether, the Ether will be locked in the contract. The same applies for tokens, if a transfer is called instead of the intended transferFrom or any other function, the tokens could be locked.
In this case, if someone mistakenly sends Ether directly to the Escrow or Factory addresses, these funds would be stuck in the contract without any way of retrieval.
Impact
This could lead to funds being irretrievably locked in the contract.
Tools Used
A detailed review of the code base was conducted to identify this issue.
Recommendation
To mitigate this issue, consider implementing a function that allows the contract owner to retrieve any unintended Ether or tokens sent to the contract. However, this function should be used with caution, as it could introduce additional security risks. Therefore, it's best to add strict access control, like onlyOwner, and possibly even a time delay to this function.
Prize pool breakdown
Live
The contest is live. Earn rewards by submitting a finding.
Appeals
This is your time to appeal against judgements on your submissions.
Appeals Review
Appeals are being carefully reviewed by our judges.