withdrawTokens function incorrectly marked as payable
Summary
The withdrawTokens function in the Starklane contract is marked as payable, allowing it to receive Ether. This is atypical for a withdraw function and could lead to unintended consequences.
Vulnerability Details
Here's a snippet of the withdrawTokens function:
The payable keyword on this function allows it to receive Ether along with the function call. The withdrawTokens function doesn't use the received tokens (when sent) anywhere in its logic. This means any Ether sent with the function call will be locked in the contract, leading to loss of funds for users who mistakenly send Ether.
Aside this, accepting Ether in a function that doesn't need it can create attack vectors.
Impact
Users may accidentally send Ether when withdrawing tokens.
Ether sent to this function could become locked in the contract.
Increased potential for user confusion and errors.
Unnecessary increase in the contract's attack surface.
Tools Used
Manual review
Recommendations
Remove the payable keyword from the withdrawTokens function.
Lead Judging Commences
Informational / Gas
Please, do not suppose impacts, think about the real impact of the bug and check the CodeHawks documentation to confirm: https://docs.codehawks.com/hawks-auditors/how-to-determine-a-finding-validity A PoC always helps to understand the real impact possible.
Appeal created
Informational / Gas
Please, do not suppose impacts, think about the real impact of the bug and check the CodeHawks documentation to confirm: https://docs.codehawks.com/hawks-auditors/how-to-determine-a-finding-validity A PoC always helps to understand the real impact possible.
Prize pool breakdown
Live
The contest is live. Earn rewards by submitting a finding.
Appeals
This is your time to appeal against judgements on your submissions.
Appeals Review
Appeals are being carefully reviewed by our judges.