Beanstalk: The Finale

Summary

This report identifies a potential issue in SeasonFacet.sol that could lead to locked ETH within the contract. The issue is related to the sunrise and gm functions being marked as payable even though they do not process ETH payments directly.

Vulnerability Details

The sunrise and gm functions in the SeasonFacet contract are designed for advancing the season and distributing rewards. These functions don't expect or require any ETH payments.

However, both functions are marked as payable. This means that users could accidentally or intentionally send ETH along with the function call. The contract currently lacks functionality to handle this ETH. Since the functions don't expect ETH payments, it doesn't process them and the sent ETH would be locked in the contract.

Impact

Loss of funds: Any ETH accidentally or intentionally sent through sunrise or gm will be locked in the contract and inaccessible.

Tools Used

Manual code review

Recommendations

Remove the payable modifier from both the sunrise and gm functions. This will prevent users from accidentally sending ETH along with the function call.

Consider adding a comment or documentation explaining that the functions do not accept ETH payments.

If future functionalities within SeasonFacet require ETH payments for specific purposes related to season advancement or reward distribution, implement a secure mechanism to handle them. This mechanism should clearly explain the purpose of ETH payments and ensure proper processing and withdrawal for authorized users.