First Flight #7: Horse Store
First Flight #7
Beginner FriendlyFoundryNFT
100 EXP
View results
Previous Next
Submission Details
Severity: medium
Valid

All functions in `HorseStore.huff` are payable, which is not similar to the Solidity version

n0kto

Description

All functions in HorseStore.huff are payable by default, even with the declaration #define function name() nonpayable returns (string). This means that all functions can receive money, and there is currently no mechanism to withdraw it.

Impact

There is a little likelihood of unintentional loss of funds. This inconsistency is non-conforming to the Solidity version, causing confusion for users, developers or auditors using the Huff version.

Proof of Concept

Foundry PoC
function testFunctionArePayable() public {
(bool sent, bytes memory data) = address(horseStore).call{value: 1}(
abi.encodeWithSignature("name()")
);
// will revert for the Huff version!
assertFalse(sent);
if (sent) { // If sent (= payable, = Huff version)
// 0-32 first bits give the pointer at the beginning of the string
// 32-48 the length of the string
// 48-64 the ascii hex of the string (name of the contract)
(, , bytes32 _name) = abi.decode(data, (bytes32, bytes32, bytes32));
// name is well returned!
assertEq(_name, bytes32("HorseStore"));
// balance is well increased!
assertEq(address(horseStore).balance, 1);
}
}

Recommended Mitigation

Include the NON_PAYABLE function from the huffmate/auth library and use it at the top of all nonpayable/view functions. If all functions are intentionally payable (although not a best practice), add the keyword "payable" to all functions in the Solidity files.

Updates

Lead Judging Commences

inallhonesty Lead Judge over 1 year ago
Submission Judgement Published
Validated
Assigned finding tags:

HUFF functions are payable when they shouldn't be

Support

FAQs

Can't find an answer? Chat with us on Discord, Twitter or Linkedin.