DittoETH
Ditto
DeFiFoundryOracle
55,000 USDC
View results
Previous Next
Submission Details
Severity: medium
Invalid

Unwithdrawable ETH in BridgeReth Contract

PTolev

Summary

The contract can receive ETH but lacks a withdraw function, posing a potential issue.

Vulnerability Detail

The BridgeReth contract contains an empty receive function that is marked as payable. This allows someone to send a transaction with msg.value > 0, but there is no mechanism to withdraw these funds from the contract, resulting in them being permanently trapped.

Source: BridgeReth.sol

receive() external payable {}

Impact

  • Impact: High, as the funds cannot be withdrawn from the contract.

  • Likelihood: Low, as users would need to send funds by mistake.

Affected users, funds at risk, severe disruption, unavailability, incorrect function, and state not handled appropriately are potential consequences.

Tool Used

Manual Review

Recommendation

To address this issue, consider either removing the receive function altogether or adding a revert statement similar to the Diamond contract as shown below:

receive() external payable {
revert("Diamond: Does not accept ether");
}

This will prevent unintended ETH deposits from becoming permanently trapped in the contract.

Updates

Lead Judging Commences

0xnevi Lead Judge
about 2 years ago
0xnevi Lead Judge about 2 years ago
Submission Judgement Published
Invalidated
Reason: Users sending ETH/native tokens

Support

FAQs

Can't find an answer? Chat with us on Discord, Twitter or Linkedin.