Submission Details
Severity:
No way to withdraw/retrieve the Funds/Ethers from the GatewayRouterMock
Summary
GatewayRouterMock doesn't have any function to claim/withdraw the Ethers/Funds from the contracts.
Vulnerability Details
We see the outboundTransfer is called inside the sendDepositToken:
function sendDepositToken(
uint256 gasLimit_,
uint256 maxFeePerGas_,
uint256 maxSubmissionCost_
) external payable onlyDistribution returns (bytes memory) {
DepositTokenConfig storage config = depositTokenConfig;
// Get current stETH balance
uint256 amountUnwrappedToken_ = IERC20(unwrappedDepositToken).balanceOf(address(this));
// Wrap all stETH to wstETH
uint256 amount_ = IWStETH(config.token).wrap(amountUnwrappedToken_);
bytes memory data_ = abi.encode(maxSubmissionCost_, "");
return
IGatewayRouter(config.gateway).outboundTransfer{value: msg.value}(
config.token,
config.receiver,
amount_,
gasLimit_,
maxFeePerGas_,
data_
);
}
This function is also forwarding all the Ethers provided in the transaction (msg.value) into the outboundTransfer, but we see GatewayRouterMock doesn't have any function for claiming the contract Ethers/Funds.
Impact
All the funds/ethers will be locked in GatewayRouterMock permanently.
Tools Used
Manual Review
Recommendations
Consider adding a function to claim/withdraw the funds/ethers from the GatewayRouterMock contract.
Updates
Prize pool breakdown
Total prize
22,500 USDC
nSLOC
1,05421 USDC / LOC
20,000 USDC
2,500 USDC
Live
The contest is live. Earn rewards by submitting a finding.
Appeals
This is your time to appeal against judgements on your submissions.
Appeals Review
Appeals are being carefully reviewed by our judges.