Locked ETH in TokenSupportFacet.sol
Summary
This report identifies potential issues in the TokenSupportFacet contract (TokenSupportFacet.sol) that could lead to locked ETH within the contract. The issues are related to several functions being marked as payable even though they do not process ETH payments directly.
Vulnerability Details
Several functions within the TokenSupportFacet contract are marked as payable even though they don't handle ETH payments. These functions are:
permitERC20
transferERC721
permitERC721
transferERC1155
batchTransferERC1155
If any of these functions are accidentally or intentionally called with a value greater than 0 ETH, the sent ETH will be locked in the contract and inaccessible.
Impact
Loss of funds: Any ETH accidentally or intentionally sent through the listed functions will be locked in the contract and inaccessible.
Tools Used
Manual code review
Recommendations
Remove the payable modifier from all the functions listed above. These functions currently do not handle ETH payments and making them non-payable will prevent accidental locking of ETH.
Consider adding a comment or documentation explaining that the functions do not accept ETH payments.
Prize pool breakdown
Live
The contest is live. Earn rewards by submitting a finding.
Appeals
This is your time to appeal against judgements on your submissions.
Appeals Review
Appeals are being carefully reviewed by our judges.