Summary

The smart contract code contains external calls to addresses provided by the user, specifically in the form of self.depositCache.user.call. These calls allow arbitrary external contract calls,

Vulnerability Details

In the processDeposit function, the code performs an external call using the address provided by self.depositCache.user. The address is not validated, and the call lacks proper function signatures, allowing arbitrary calls to external contracts.

Impact

• Asset Lockup: If a user or attacker provides an address pointing to a contract that does not handle received assets correctly, it may lead to a lockup of assets within the contract. The external contract may not return assets, making them inaccessible.

• Denial of Service Attacks: Attackers can use the vulnerability to call external contracts that are intentionally designed to consume excessive resources, leading to a DoS attack on the vulnerable contract.

Tools Used

Manual code review

Recommendations

• Validate the External Address: Implement a validation step to ensure that the provided address (self.depositCache.user) is a valid and trusted contract. Use whitelists or other mechanisms to control which addresses are permitted to interact with the contract.

• Implement Function Signatures: If external contract calls are necessary as is in this case, use function signatures to specify and restrict the functions that can be invoked. This reduces the risk of arbitrary calls to functions with unintended consequences.