Missing withdraw function in L1vault.sol
Summary
The L1Vault contract lacks a specific function to withdraw or transfer tokens stored within it. Without this functionality, tokens deposited into the vault become inaccessible unless external contracts or the owner executes specific actions. This poses a critical risk of potential funds lockup.
Vulnerability Details
Absence of Withdrawal Function: The contract lacks a defined function to withdraw or transfer funds stored in the vault to other addresses or contracts.
Limited Control: Without a withdrawal function, external interaction or the owner's direct intervention is necessary to move the funds out of the vault.
Impact
The absence of a withdrawal mechanism in the L1Vault contract poses a critical risk of funds becoming stuck within the vault. Users' deposited tokens will be inaccessible without external intervention or specific owner actions.
Tools Used
Manual inspection
Recommendations
Implement a Withdrawal Function: Add a function within the L1Vault contract to enable controlled withdrawals of tokens stored in the vault. Recommendation is that owner should be able to call this but I would also recommend looking into having a trusted multi-sig address have access to this function.
Rewards breakdown
Live
The contest is live. Earn rewards by submitting a finding.
Appeals
This is your time to appeal against judgements on your submissions.
Appeals Review
Appeals are being carefully reviewed by our judges.