arbitrary-send-eth
Summary:
The TokenManager.tillIn function in the TokenManager contract can send ETH to arbitrary addresses due to its use of a dangerous external call. This vulnerability allows an attacker to exploit the contract by directing ETH to an arbitrary user or address, potentially leading to loss of funds.
Vulnerability Details:
Function: TokenManager.tillIn(address,address,uint256,bool)
Source Location: src/core/TokenManager.sol#L56-L103
Dangerous Call:
The call above deposits ETH into the wrapped native token contract. If the wrappedNativeToken contract has any vulnerabilities or unintended behavior, it could lead to arbitrary ETH being sent to an attacker-controlled address.
Impact:
Impact:
The vulnerability allows for arbitrary ETH transfers to any address, which can lead to:
Loss of funds if the attacker controls the recipient address.
Unauthorized access to ETH resources within the contract.
Tools Used:
Slither
Recommendations:
Avoid External Calls: Avoid calling external contracts that can affect the state or transfer of funds. If necessary, ensure these calls are safe and the external contracts are trustworthy.
Validate Addresses: Add checks to validate addresses before sending ETH to prevent arbitrary transfers.
Lead Judging Commences
[invalid] finding-Admin-Errors-Malicious
The following issues and its duplicates are invalid as admin errors/input validation/malicious intents are1 generally considered invalid based on [codehawks guidelines](https://docs.codehawks.com/hawks-auditors/how-to-determine-a-finding-validity#findings-that-may-be-invalid). If they deploy/set inputs of the contracts appropriately, there will be no issue. Additionally admins are trusted as noted in READ.ME they can break certain assumption of the code based on their actions, and
Prize pool breakdown
Live
The contest is live. Earn rewards by submitting a finding.
Appeals
This is your time to appeal against judgements on your submissions.
Appeals Review
Appeals are being carefully reviewed by our judges.