Unclear purpose and handling of Ether in payable Withdrawal function
Summary
The withdrawTokens function is marked as payable, allowing it to receive Ether, but the purpose and handling of this Ether are not clear from the provided code. This could lead to locked funds for users (accidentally) sending ETH while calling the function.
Vulnerability Details
The withdrawTokens function in the L1 bridge contract is declared as payable:
However, from the code provided, there's no evident use or handling of the received Ether. This creates uncertainty about the function's intended behavior with regards to sent funds.
Impact
If Ether is sent to this function but not properly handled, it could become locked in the contract, potentially leading to loss of funds for users.
Tools Used
Manual Review.
Recommendations
Consider removing the payable keyword from the function declaration.Unclear purpose and handling of Ether in payable Withdrawal function
Lead Judging Commences
Informational / Gas
Please, do not suppose impacts, think about the real impact of the bug and check the CodeHawks documentation to confirm: https://docs.codehawks.com/hawks-auditors/how-to-determine-a-finding-validity A PoC always helps to understand the real impact possible.
Prize pool breakdown
Live
The contest is live. Earn rewards by submitting a finding.
Appeals
This is your time to appeal against judgements on your submissions.
Appeals Review
Appeals are being carefully reviewed by our judges.