TSender
Cyfrin
DeFiFoundry
15,000 USDC
View results
Previous Next
Submission Details
Severity: medium
Invalid

Forced Received ether Locked forever

torpedopistolixc41

Summary

Forced ether will be locked forever

Vulnerability Details

Selfdestruct and coinbase functionionalities can be used to force transfer ether into contracts while selfdestruct has been deprecated yet
still usable function in evm.Added link with info about it.
https://ethereum.stackexchange.com/questions/144210/selfdestruct-deprecated-in-solidity-0-8-18.After such transfer there's no way to remove the ether from contract .In case of such occurences it's wise to set up retrieving function would be beneficial.

Simple attack contract ---

// SPDX-License-Identifier: MIT
pragma solidity 0.8.24;
contract MockAttack {
address public airdropper;
constructor(address _aidropper) payable{
airdropper=_aidropper;
}
function attackEth() public {
selfdestruct(payable(airdropper));
}
}

locked up ether test --->

//@audit send forced ether--->
function test_forcedEtherSent() public virtual hasSafetyChecks {
//setup attack contract
MockAttack mockAttack= new MockAttack{value:1 ether}(address(tSender));
// Act
mockAttack.attackEth();
assertEq(1 ether, (address(tSender).balance));
}

Impact

locked ether wont be removed

Tools Used

manuel review

Recommendations

adding somekind of optional funtşion to remove the accidental sent ether by either receive() fallback function or any other function to send to owner of airdropper

Updates

Lead Judging Commences

inallhonesty Lead Judge about 1 year ago
Submission Judgement Published
Invalidated
Reason: Known issue

Support

FAQs

Can't find an answer? Chat with us on Discord, Twitter or Linkedin.