Summary

The createTradingAccountAndMulticall(https://github.com/Cyfrin/2024-07-zaros/blob/d687fe96bb7ace8652778797052a38763fbcbb1b/src/perpetuals/branches/TradingAccountBranch.sol#L285) function is marked as payable, allowing it to receive ETH. However, there is no mechanism to withdraw the ETH, leading to potential permanent loss of funds for users who accidentally send ETH to the contract.

Vulnerability Details

The TradingAccountBranch::createTradingAccountAndMulticall()

Issue: The function can receive ETH due to the payable modifier, but there is no way to withdraw the ETH from the contract.

Consequence: Users who send ETH to this contract will lose their funds permanently as there is no withdrawal mechanism.

Impact

User Funds at Risk: Users may accidentally send ETH to the contract, resulting in a permanent loss of their funds.

Contract Usability: The presence of the payable modifier without a corresponding withdrawal mechanism can lead to confusion and potential financial loss.

Tools Used

Manual Review

Recommendations

Remove payable Modifier: If the function does not need to handle ETH, remove the payable modifier.

Add Withdrawal Function: If the contract needs to handle ETH, add a function to withdraw ETH.