Ether Lock-up in Smart Contract Due to Unreachable Funds
Summary
The smart contract contains two payable functions, addMessageHashForAutoWithdraw and withdrawTokens, which can receive Ether. However, the contract lacks a mechanism to withdraw or utilize this Ether, potentially leading to permanent lock-up of funds.
Vulnerability Details
The functions addMessageHashForAutoWithdraw and withdrawTokens are marked as payable, allowing them to receive Ether.
The received Ether is not used within these functions.
The contract does not implement any function to withdraw or transfer the received Ether.
There is no
fallbackorreceivefunction to handle incoming Ether transactions.
This combination of factors creates a situation where Ether can be sent to the contract but cannot be retrieved, effectively locking it within the contract permanently.
Impact
Users may accidentally send Ether to the contract, resulting in the permanent loss of their funds.
The locked Ether cannot be used for any purpose, reducing the overall liquidity in the Ethereum ecosystem.
This vulnerability may lead to a loss of trust in the contract and its developers.
Tools Used
Manual code review
Recommendations
Remove the "payable" modifier from the two functions as it is not supposed to receive eth.
Lead Judging Commences
Informational / Gas
Please, do not suppose impacts, think about the real impact of the bug and check the CodeHawks documentation to confirm: https://docs.codehawks.com/hawks-auditors/how-to-determine-a-finding-validity A PoC always helps to understand the real impact possible.
Prize pool breakdown
Live
The contest is live. Earn rewards by submitting a finding.
Appeals
This is your time to appeal against judgements on your submissions.
Appeals Review
Appeals are being carefully reviewed by our judges.