Locked ETH in PauseFacet.sol
Summary
This report identifies a potential issue in the PauseFacet contract (PauseFacet.sol) that could lead to locked ETH within the contract. The issue is related to both the pause and unpause functions being marked as payable even though they do not process ETH payments.
Vulnerability Details
The pause and unpause functions within the PauseFacet contract are both marked as payable. These functions are designed for pausing and unpausing the contract and do not expect or require any ETH payments.
If any of these functions are accidentally or intentionally called with a value greater than 0 ETH, the sent ETH will be locked in the contract and inaccessible.
Impact
Loss of funds: Any ETH accidentally or intentionally sent through the pause or unpause functions will be locked in the contract and inaccessible.
Tools Used
Manual code review
Recommendations
Remove the payable modifier from both the pause and unpause functions. These functions currently do not handle ETH payments and making them non-payable will prevent accidental locking of ETH.
If future functionalities within the PauseFacet require ETH payments, implement proper mechanisms to handle them securely. This would involve clearly explaining the purpose of ETH payments within the function and ensuring proper processing and withdrawal for authorized users.
Prize pool breakdown
Live
The contest is live. Earn rewards by submitting a finding.
Appeals
This is your time to appeal against judgements on your submissions.
Appeals Review
Appeals are being carefully reviewed by our judges.