This report identifies a potential issue in the PauseFacet contract (PauseFacet.sol) that could lead to locked ETH within the contract. The issue is related to both the pause and unpause functions being marked as payable even though they do not process ETH payments.
The pause and unpause functions within the PauseFacet contract are both marked as payable. These functions are designed for pausing and unpausing the contract and do not expect or require any ETH payments.
If any of these functions are accidentally or intentionally called with a value greater than 0 ETH, the sent ETH will be locked in the contract and inaccessible.
Loss of funds: Any ETH accidentally or intentionally sent through the pause or unpause functions will be locked in the contract and inaccessible.
Manual code review
Remove the payable modifier from both the pause and unpause functions. These functions currently do not handle ETH payments and making them non-payable will prevent accidental locking of ETH.
If future functionalities within the PauseFacet require ETH payments, implement proper mechanisms to handle them securely. This would involve clearly explaining the purpose of ETH payments within the function and ensuring proper processing and withdrawal for authorized users.
The contest is live. Earn rewards by submitting a finding.
Submissions are being reviewed by the community.
This is your time to appeal against judgements on your submissions.
Appeals are being carefully reviewed by our judges.