Dria
Swan
NFTHardhat
21,000 USDC
View results
Previous Next
Submission Details
Severity: low
Invalid

Lack of Fallback Functions to Handle Ether Sent to Contracts

iampukar

Summary

The smart contracts—including Swan, SwanManager, LLMOracleCoordinator, LLMOracleRegistry, LLMOracleManager, BuyerAgent, and SwanAsset—do not implement receive() or fallback() functions.

In Solidity, these special functions are designated to handle plain Ether transfers (receive()) and calls with data that do not match any existing function signatures (fallback()). Without these functions, any attempt to send Ether directly to these contracts without invoking a specific function will result in the transaction reverting.

Vulnerability Details

The Swan protocol is intended to handle transactions using both raw Ether (ETH) and Wrapped Ether (WETH). This dual support implies that users may interact with the protocol using either form of Ether.

## Compatibilities
The Swan protocol is compatible with and EVM-compatible chain. As the primary deployment chain Swan will be deployed on **Base Sepolia and Base Mainnet**.
Swan uses the following token standards:
* **[ERC-721](https://ethereum.org/en/developers/docs/standards/tokens/erc-721/)**: Each `SwanAsset` is an ERC-721 contract with a single supply.
* **[ERC-20](https://ethereum.org/en/developers/docs/standards/tokens/erc-20/)** (ETH, [WETH](https://base-sepolia.blockscout.com/token/0x4200000000000000000000000000000000000006)): Payments within Swan are made with an ERC20 compatible token. Oracle fees are also paid with such.

  • A user, intending to send Ether to participate in the Swan protocol, initiates the transfer to one of the Swan protocol's contracts (e.g., Swan, BuyerAgent, SwanAsset).

  • Since the contracts lack receive() or fallback() functions, the EVM automatically rejects the transaction, causing it to revert.

  • The user's attempt to interact with the protocol using Ether fails, rendering them unable to perform essential interactions with the protocol.

Impact

Users attempting to interact with the protocol using raw Ether will be unable to do so, effectively blocking their participation.

Tools Used

Manual Review

Recommendations

Add both receive() and fallback() functions to all Swan protocol contracts that are intended to accept raw Ether.

// SPDX-License-Identifier: Apache-2.0
pragma solidity ^0.8.20;
contract Swan is SwanManager, UUPSUpgradeable {
// Existing code...
/// @notice Reverts any direct Ether transfers with a descriptive error message.
fallback() external payable {
revert("Direct Ether transfers not allowed. Use designated functions.");
}
/// @notice Reverts any direct Ether transfers with a descriptive error message.
receive() external payable {
revert("Direct Ether transfers not allowed. Use designated functions.");
}
}
Updates

Lead Judging Commences

inallhonesty Lead Judge 12 months ago
Submission Judgement Published
Invalidated
Reason: Incorrect statement
Assigned finding tags:

[INVALID] ETH not supported as payment method

Contest details specifically state that: "Payments within Swan are made with an ERC20 compatible token", WETH's address is mentioned as well. Everything is done through ERC20 functionality.

Support

FAQs

Can't find an answer? Chat with us on Discord, Twitter or Linkedin.