The Standard
The Standard
DeFiHardhat
20,000 USDC
View results
Previous Next
Submission Details
Severity: low
Invalid

The ClaimRewards function sending eth never succeeds, resulting in a loss of funds.

wttt

Summary

The LiquidationPool contract does not have the function of receiving ETH tokens. The ClaimRewards function sending eth never succeeds, resulting in a loss of funds.

Vulnerability Details

https://github.com/Cyfrin/2023-12-the-standard/blob/main/contracts/LiquidationPool.sol#L172

function claimRewards() external {
ITokenManager.Token[] memory _tokens = ITokenManager(tokenManager).getAcceptedTokens();
for (uint256 i = 0; i < _tokens.length; i++) {
ITokenManager.Token memory _token = _tokens[i];
uint256 _rewardAmount = rewards[abi.encodePacked(msg.sender, _token.symbol)];
if (_rewardAmount > 0) {
delete rewards[abi.encodePacked(msg.sender, _token.symbol)];
if (_token.addr == address(0)) {
(bool _sent,) = payable(msg.sender).call{value: _rewardAmount}("");
require(_sent);
} else {
IERC20(_token.addr).transfer(msg.sender, _rewardAmount);
}
}
}
}
(bool _sent,) = payable(msg.sender).call{value: _rewardAmount}("");

This line of code sends the eth of the LiquidationPool contract to the msg.sender address, and the amount is _rewardAmount. However, this contract does not have the function of receiving eth tokens, which will cause the eth tokens in the LiquidationPool contract to be permanently locked.

Impact

eth tokens permanently locked.

Tools Used

Manual review

Recommendations

Add the function of receiving eth tokens in the LiquidationPool contract:

receive() external payable {}
Updates

Lead Judging Commences

hrishibhat Lead Judge over 1 year ago
Submission Judgement Published
Invalidated
Reason: Non-acceptable severity
Assigned finding tags:

informational/invalid

Support

FAQs

Can't find an answer? Chat with us on Discord, Twitter or Linkedin.