Locked ETH in FertilizerFacet.sol
Summary
This report identifies a potential issue in the FertilizerFacet contract (FertilizerFacet.sol) that could lead to locked ETH within the contract. The issue is related to the mintFertilizer function, which currently does not accept ETH payments. However, the function itself is marked as payable.
Vulnerability Details
The mintFertilizer function in the FertilizerFacet contract allows users to purchase Fertilizer using Barn Raise tokens. However, the function is marked as payable. This means that users could accidentally or intentionally send ETH along with the function call.
The contract currently lacks functionality to handle this ETH. Since the function doesn't expect ETH payments, it doesn't process them and the sent ETH would be locked in the contract.
Impact
Loss of funds: Any ETH accidentally or intentionally sent through mintFertilizer will be locked in the contract and inaccessible.
Tools Used
Manual code review
Recommendations
-
Remove the payable modifier from the mintFertilizer function. This will prevent users from accidentally sending ETH along with the function call.
-
If the contract ever needs to accept ETH payments for future functionalities related to Fertilizer purchases, implement a secure mechanism to handle them. This mechanism should clearly explain the purpose of ETH payments and ensure proper processing and withdrawal for authorized users.
Prize pool breakdown
Live
The contest is live. Earn rewards by submitting a finding.
Appeals
This is your time to appeal against judgements on your submissions.
Appeals Review
Appeals are being carefully reviewed by our judges.