DeFiHardhatFoundry
250,000 USDC
View results
Submission Details
Severity: high
Invalid

Locked ETH in UnripeFacet.sol

Summary

This report identifies a potential issue in UnripeFacet.sol that could lead to locked ETH within the contract. The issue is related to the chop function being marked as payable even though it doesn't necessarily process ETH payments directly.

Vulnerability Details

The chop function in the UnripeFacet contract allows users to chop unripe tokens into their ripe counterparts. While the function itself might not directly handle ETH payments, it accepts them as a parameter.

Here's a breakdown of the concern:

The function is marked as payable. This means that users can send ETH along with the function call.
The function doesn't explicitly handle or utilize the received ETH value.
If a user accidentally or intentionally sends ETH when calling chop, the sent ETH could be locked in the contract.

Impact

Loss of funds: Any ETH accidentally or intentionally sent through the chop function will be locked in the contract and inaccessible.

Tools Used

Manual code review

Recommendations

  1. Consider removing the payable modifier from the chop function. If future functionalities within chop require ETH payments for specific purposes, implement a secure mechanism to handle them. This mechanism should clearly explain the purpose of ETH payments and ensure proper processing and withdrawal for authorized users.

  2. Add a comment or documentation to the chop function explaining that sending ETH with the call is not required or has no effect.

Updates

Lead Judging Commences

inallhonesty Lead Judge 12 months ago
Submission Judgement Published
Invalidated
Reason: Design choice

Support

FAQs

Can't find an answer? Chat with us on Discord, Twitter or Linkedin.