Locked ETH in TractorFacet.sol
Summary
This report identifies a potential issue in TractorFacet.sol that could lead to locked ETH within the contract. The issue is related to the tractor function being marked as payable even though it doesn't necessarily process ETH payments directly.
Vulnerability Details
The tractor function in the TractorFacet contract is designed to execute a Tractor blueprint as an operator. While the function itself might not directly handle ETH payments, it accepts them as a parameter.
Here's a breakdown of the concern:
The function is marked as payable. This means that users can send ETH along with the function call.
The function doesn't explicitly handle or utilize the received ETH value.
If a user accidentally or intentionally sends ETH when calling tractor, the sent ETH could be locked in the contract.
Impact
Loss of funds: Any ETH accidentally or intentionally sent through the tractor function will be locked in the contract and inaccessible.
Tools Used
Manual code review
Recommendations
Consider removing the payable modifier from the tractor function. If future functionalities within tractor require ETH payments for specific purposes, implement a secure mechanism to handle them. This mechanism should clearly explain the purpose of ETH payments and ensure proper processing and withdrawal for authorized users.
Add a comment or documentation to the tractor function explaining that sending ETH with the call is not required or has no effect.
Prize pool breakdown
Live
The contest is live. Earn rewards by submitting a finding.
Appeals
This is your time to appeal against judgements on your submissions.
Appeals Review
Appeals are being carefully reviewed by our judges.