Bridge Contract can receive ether but does not have any withdraw functionality
Summary :
The withdrawTokens function in the bridge contract is a payable function. Although the function is not handling ethers but if by mistake any user sends ether along with this function call. The ethers could never be withdrawn from the contract.
Vulnerability Details :
https://github.com/Cyfrin/2024-07-ark-project/blob/main/apps/blockchain/ethereum/src/Bridge.sol#L153-L158
The withdrawTokens function is a payable function i.e it can accept ether. If any user sends ether by mistake they will get stuck forever in the contract.
Impact :
Ethers received by this contract would get locked forever.
Tools Used :
Manual Code Review
Recommendations :
Add withdraw function in the contract
Lead Judging Commences
Informational / Gas
Please, do not suppose impacts, think about the real impact of the bug and check the CodeHawks documentation to confirm: https://docs.codehawks.com/hawks-auditors/how-to-determine-a-finding-validity A PoC always helps to understand the real impact possible.
Prize pool breakdown
Live
The contest is live. Earn rewards by submitting a finding.
Appeals
This is your time to appeal against judgements on your submissions.
Appeals Review
Appeals are being carefully reviewed by our judges.