Submission Details
Severity:
Traders who create trading with multi call will lose all Eth sent along with the call and there's no wa ory to retrieve them.
Summary
There are two options to create an account with `createTradingAccount` and ` createTradingAccountAndMultiCall` users who use the later might send ETH along with the call which isn't necessary for the account creation as the contract generally deals with ERC20 tokens.
Any ETH sent along with this call will get locked in the contract without any way of retrieval.
Vulnerability Details
function createTradingAccountAndMulticall(
bytes[] calldata data,
bytes memory referralCode,
bool isCustomReferralCode
)
external
payable
virtual
returns (bytes[] memory results)
{
uint128 tradingAccountId = createTradingAccount(referralCode, isCustomReferralCode);
results = new bytes[](data.length);
for (uint256 i; i < data.length; i++) {
bytes memory dataWithAccountId = bytes.concat(data[i][0:4], abi.encode(tradingAccountId), data[i][4:]);
(bool success, bytes memory result) = address(this).delegatecall(dataWithAccountId);
if (!success) {
uint256 len = result.length;
assembly {
revert(add(result, 0x20), len)
}
}
results[i] = result;
}
}
Impact
The Eth is not forwarded to any part of the protocol and can't be retrieved, any user who sends eth along with the call will lose them.
Tools Used
Manual Review
Recommendations
Remove the payable modifier as it is not needed.
Updates
Lead Judging Commences
inallhonesty about 1 year ago
Submission Judgement Published Assigned finding tags:
`createTradingAccountAndMulticall` shouldn't be payable
Prize pool breakdown
Total prize
60,000 USDC
nSLOC
2,87821 USDC / LOC
50,000 USDC
5,500 USDC
4,500 USDC
Live
The contest is live. Earn rewards by submitting a finding.
Appeals
This is your time to appeal against judgements on your submissions.
Appeals Review
Appeals are being carefully reviewed by our judges.