DeFiHardhatOracleProxyUpdates
100,000 USDC
View results
Submission Details
Severity: low
Invalid

Unrestricted ETH Transfer Vulnerability in UnwrapAndSendETH Contract

Summary

The UnwrapAndSendETH contract is designed to unwrap WETH (Wrapped Ether) and send the equivalent amount of ETH to a specified address. However, it contains a vulnerability that allows an attacker to withdraw ETH to arbitrary destinations.

Vulnerability Details

In the unwrapAndSendETH function, the contract checks the WETH balance and then proceeds to withdraw and transfer the entire balance to the specified address (to) using the call function. The use of call without proper access controls or checks allows any user to invoke this function and receive Ether, potentially leading to unauthorized fund transfers.

(contracts/pipeline/junctions/UnwrapAndSendETH.sol#27-35)

(bool success, ) = to.call{value: address(this).balance}(new bytes(0));

Impact

This vulnerability poses a severe risk as it allows arbitrary users to drain the Ether balance of the contract. Malicious actors can exploit this vulnerability to perform unauthorized fund transfers, leading to financial losses for the contract owner and users relying on the proper functioning of the contract.

Tools Used

The vulnerability was identified using the Slither static analysis tool, specifically leveraging the "functions-that-send-ether-to-arbitrary-destinations" detector. Slither highlighted the potential risk associated with the use of the call function in the specified contract.

Recommendations

To mitigate this vulnerability, it is recommended to implement proper access controls in the unwrapAndSendETH function. Consider incorporating a permission system or requiring specific authorization from designated addresses before allowing the transfer of Ether.

Updates

Lead Judging Commences

giovannidisiena Lead Judge about 1 year ago
Submission Judgement Published
Invalidated
Reason: Design choice
Assigned finding tags:

Pipeline access control

Support

FAQs

Can't find an answer? Chat with us on Discord, Twitter or Linkedin.