Redundant payable Modifier in addMessageHashForAutoWithdraw Function
Summary
The addMessageHashForAutoWithdraw function is defined as payable, but it does not utilize msg.value within its implementation. This means that ETH sent to this function will be ignored, and there is a risk of users unintentionally losing ETH. This report highlights the redundancy of the payable modifier in this context and provides recommendations to mitigate potential issues.
Vulnerability Details
The addMessageHashForAutoWithdraw function is marked as payable, allowing ETH to be sent to it. However, the function does not reference msg.value or handle incoming ETH, making the payable designation redundant. Users who send ETH to this function will not receive any value in return, leading to potential loss of funds.
Impact
Financial Loss: Users may lose ETH if they send it to the function, as the ETH will be ignored and not utilized.
Reduced Trust: Users might lose confidence in the contract if they experience unexpected loss of funds.
Tools Used
Manual code review
Recommendations
Remove payable Modifier: If the function does not require ETH to be sent, remove the payable modifier to prevent any ETH from being sent to it.
Lead Judging Commences
Informational / Gas
Please, do not suppose impacts, think about the real impact of the bug and check the CodeHawks documentation to confirm: https://docs.codehawks.com/hawks-auditors/how-to-determine-a-finding-validity A PoC always helps to understand the real impact possible.
Prize pool breakdown
Live
The contest is live. Earn rewards by submitting a finding.
Appeals
This is your time to appeal against judgements on your submissions.
Appeals Review
Appeals are being carefully reviewed by our judges.