createTradingAccountAndMulticall() donates the native currency that is sent to the contract
Summary
createTradingAccountAndMulticall() is a payable function and if a user sends native currency together with their call they will essentially donate their funds to the contract.
Vulnerability Details
createTradingAccountAndMulticall() is payable but currently, there isn’t any logic inside the protocol that handles msg.value in any way.
In other words, users who create a trading account and use the multi-call functionality do not have a reason to send native currency (if they do have it was not stated anywhere and there isn’t any logic that determines the amount that has to be sent, nor the sent amount is recorded in storage).
Impact
Users who send native funds by mistake or intentionally when calling createTradingAccountAndMulticall() will experience a loss of funds and there won’t be any gain or change in state as a result.
Tools Used
Manual Review
Recommended Mitigation
Implement any missing logic that requires native currency transfer or simply remove the payable modifier from createTradingAccountAndMulticall().
Lead Judging Commences
`createTradingAccountAndMulticall` shouldn't be payable
Prize pool breakdown
Live
The contest is live. Earn rewards by submitting a finding.
Appeals
This is your time to appeal against judgements on your submissions.
Appeals Review
Appeals are being carefully reviewed by our judges.