Sparkn

CodeFox Inc.

DeFiFoundryProxy

15,000 USDC

View results

Previous Next

Submission Details

Severity: low

Stuck ETH

getitin

Summary

If Unexpected ETH or ERC20 tokens are sent to this contract, it's stuck indefinitely as it does not have any functions to send out unexpected ETH or ERC20 tokens.

Vulnerability Details

Even though the smart contract does not include receive() or fallback() functions, ETH and ERC20 tokens can be expectedly sent to the smart contract in the following way:
Someone can create an attacker contract that has a selfdestruct method and when selfdestruct() is called, it can have the ETH sent to the distributor contract which forcibly receives the ETH even though receive or fallback methods aren't defined. This ETH will be stuck in the contract forever.

Additionally, with the current logic, unexpected ERC20 tokens can only be divied up amongst winners and the STADIUM_ADDRESS. But there will be no way for the ERC20 tokens to be returned to its owner if there is some mistake or other reason to do so.

Impact

ETH is stuck in the contract forever with no way of retrieving it.

Tools Used

VS Code

Recommendations

Implement a withdraw function to create the ability to withdraw unexpected ETH.
Add a function to handle unexpected ERC20 token transfers.

Prize pool breakdown

Total prize

15,000 USDC

nSLOC

194

77 USDC / LOC

High Medium

14,000 USDC

Low

1,000 USDC

Live

The contest is live. Earn rewards by submitting a finding.

Judging

Submissions are being carefully reviewed by our judges.

View all submissions

Appeals

This is your time to appeal against judgements on your submissions.

Appeals Review

Appeals are being carefully reviewed by our judges.

Rewards Distribution

The contest is complete and the rewards are being distributed.

View results

Support

FAQs

Can't find an answer? Chat with us on Discord, Twitter or Linkedin.