First Flight #7: Horse Store
First Flight #7
Beginner FriendlyFoundryNFT
100 EXP
View results
Previous Next
Submission Details
Severity: medium
Valid

Non-Payable Entry Point in MAIN Macro of HUFF contract

0xtheblackpanther

Summary

The MAIN() macro in the HorseStore.huff, which serves as the entry point for various functions, is by default payable. However, as there is no functionality to withdraw Ether from the contract, the contract should not accept Ether.

Vulnerability Details

The vulnerability lies in the original implementation of the MAIN() macro, which allowed the contract to receive Ether despite not having any functionality to handle or withdraw it. This could potentially result in unintended Ether accumulation within the contract.

Impact

There is no withdrawal mechanism for Ether in the contract. So ETH can get stuck in contract forever.

Tools Used

Manual review.

Recommendations

It is recommended to explicitly handle Ether transactions in a manner appropriate for the contract's intended functionality. Since there is no Ether withdrawal mechanism, making the MAIN() macro non-payable will be a better choice.

#define macro MAIN() = takes (0) returns (0) {
// Check if Ether is sent, and revert if true
callvalue throw_error jumpi
// Identify which function is being called.
0x00 calldataload 0xE0 shr // this pushes the signature onto the stack (1st 4 bytes)
// Rest of the existing logic...
throw_error:
0x00 0x00 revert
}
Updates

Lead Judging Commences

inallhonesty Lead Judge over 1 year ago
Submission Judgement Published
Validated
Assigned finding tags:

HUFF functions are payable when they shouldn't be

Support

FAQs

Can't find an answer? Chat with us on Discord, Twitter or Linkedin.