Bypass of Ether Transfer Protections via selfdestruct Function.
Summary
The smart contract includes both receive and fallback functions to prevent the direct transfer of Ether to the contract.
However, due to the behavior of the selfdestruct function in Solidity, Ether can still be forcefully sent to the contract,
bypassing the protections offered by these functions.
Vulnerability Details
In Solidity, receive and fallback functions are used to handle Ether transfers sent directly to the contract without any
data or with data that doesn't match any function signature, respectively. By implementing these functions and reverting
any Ether transfers within them, a contract can effectively prevent users from directly sending Ether.
However, the selfdestruct function in Solidity allows a contract to send its remaining Ether balance to any address,
including contracts that have implemented protections against direct transfers. Since selfdestruct forcibly sends Ether
to the target address, it bypasses both the receive and fallback functions, leading to the unintended reception of Ether by the contract.
Impact
ether can be sent directly without using payable functions.
Recommendations
Lead Judging Commences
Informational / Gas
Please, do not suppose impacts, think about the real impact of the bug and check the CodeHawks documentation to confirm: https://docs.codehawks.com/hawks-auditors/how-to-determine-a-finding-validity A PoC always helps to understand the real impact possible.
Prize pool breakdown
Live
The contest is live. Earn rewards by submitting a finding.
Appeals
This is your time to appeal against judgements on your submissions.
Appeals Review
Appeals are being carefully reviewed by our judges.