Locked ETH in ApprovalFacet.sol
Summary
This report identifies a potential issue in the ApprovalFacet contract (ApprovalFacet.sol) that could lead to locked ETH within the contract. The issue is related to the approveDeposit function, which has the payable modifier.
Vulnerability Details
The approveDeposit function in the ApprovalFacet contract is marked as payable. This allows users to send ETH along with the function call. However, the contract currently lacks functionality to withdraw this ETH. Consequently, any ETH sent to the contract through approveDeposit will be locked and inaccessible.
Impact
Loss of funds: Any ETH accidentally or intentionally sent through approveDeposit will be locked in the contract and unavailable for use.
Reduced contract functionality: The intended functionality of approveDeposit might be unclear due to the presence of the payable modifier.
Tools Used
Manual code review
Recommendations
-
Remove the payable modifier: If the contract doesn't intend to receive ETH payments, consider removing the payable modifier from the approveDeposit function. This will prevent users from accidentally sending ETH along with the function call.
-
Implement a withdrawal mechanism: If the contract needs to receive ETH payments for specific purposes, implement a secure withdrawal mechanism. This mechanism should allow authorized users to withdraw accumulated ETH from the contract.
Prize pool breakdown
Live
The contest is live. Earn rewards by submitting a finding.
Appeals
This is your time to appeal against judgements on your submissions.
Appeals Review
Appeals are being carefully reviewed by our judges.