Unused/Empty Receive/Fallback Function Vulnerability in LiquidationPoolManager.sol and SmartVaultV3.sol
Summary
This report identifies a low-severity vulnerability in the LiquidationPoolManager.sol and SmartVaultV3.sol contracts that can cause the contracts to accept Ether without using it or reverting it.
Vulnerability Details
The vulnerability is located in two lines of code (31 and 125) where an empty receive/fallback function is defined. This function allows the contract to receive Ether from any address without any condition or logic. This can happen if the contract is sent Ether directly or as a result of a failed call.
https://github.com/Cyfrin/2023-12-the-standard/blob/main/contracts/LiquidationPoolManager.sol#31
https://github.com/Cyfrin/2023-12-the-standard/blob/main/contracts/SmartVaultV3.sol#L125
Impact
The impact of this vulnerability is low, as it does not affect the functionality or security of the contract. However, it can cause the contract to accumulate Ether that is not used or returned, which can lead to unnecessary gas costs or confusion for the users. For example, if the contract receives Ether from a user who expects to interact with the contract or receive a service, the user may not realize that the Ether is not used or refunded.
Tools Used
manual code review
Recommendations
To prevent this vulnerability, it is recommended to either remove the empty receive/fallback function or add a logic or condition to use or revert the Ether.
Lead Judging Commences
informational/invalid
Prize pool breakdown
Live
The contest is live. Earn rewards by submitting a finding.
Appeals
This is your time to appeal against judgements on your submissions.
Appeals Review
Appeals are being carefully reviewed by our judges.