Unnecessary `payable` keyword on the function `withdrawTokens()`
Summary
The withdrawTokens() function is currently marked as payable, but this is unnecessary since the function does not involve any Ether transfer.
Vulnerability Details
The withdrawTokens() function is marked as payable, which allows it to receive Ether when called. However, there is no logic within the function that handles Ether transfers or utilizes the received Ether. This function only interacts with L1 and there is no need to make it payable. Marking the function as payable is redundant and potentially introduces unnecessary risk to the Bridge.
Impact
Users can mistakenly send ether while calling the function withdrawTokens(). As there in no function to withdraw the ether from the Bridge contract, funds can be locked in this contract until the next upgrade.
Tools Used
Manual inspection
Recommendations
Remove payable from the function withdrawTokens().
Lead Judging Commences
Informational / Gas
Please, do not suppose impacts, think about the real impact of the bug and check the CodeHawks documentation to confirm: https://docs.codehawks.com/hawks-auditors/how-to-determine-a-finding-validity A PoC always helps to understand the real impact possible.
Prize pool breakdown
Live
The contest is live. Earn rewards by submitting a finding.
Appeals
This is your time to appeal against judgements on your submissions.
Appeals Review
Appeals are being carefully reviewed by our judges.