Locked ETH in ConvertFacet.sol
Summary
This report identifies a potential issue in ConvertFacet.sol that could lead to locked ETH within the contract. The issue is related to the convert function, which has the payable modifier.
Vulnerability Details
The convert function in the ConvertFacet contract is marked as payable. This allows users to send ETH along with the function call. However, the contract currently lacks functionality to withdraw this ETH. Consequently, any ETH sent to the contract through convert will be locked and inaccessible.
Impact
Loss of funds: Any ETH accidentally or intentionally sent through convert will be locked in the contract and unavailable for use.
Reduced contract functionality: The intended functionality of convert might be unclear due to the presence of the payable modifier.
Tools Used
Manual code review
Recommendations
1)Remove the payable modifier: If the contract doesn't intend to receive ETH payments, consider removing the payable modifier from the convert function. This will prevent users from accidentally sending ETH along with the function call.
2)Implement a withdrawal mechanism: If the contract needs to receive ETH payments for specific purposes, implement a secure withdrawal mechanism. This mechanism should allow authorized users to withdraw accumulated ETH from the contract.
Prize pool breakdown
Live
The contest is live. Earn rewards by submitting a finding.
Appeals
This is your time to appeal against judgements on your submissions.
Appeals Review
Appeals are being carefully reviewed by our judges.