Project

Summary

The MembershipERC1155, MembershipFactory, and OWPIdentity contracts are capable of receiving ETH through specific functions like callExternalContract and executeMetaTransaction. However, they lack explicit receive or fallback functions to handle direct ETH transfers. This omission can lead to unintended reverts or the locking of ETH sent directly to the contract outside of its intended functions.

Vulnerability Details

The MembershipERC1155, MembershipFactory, and OWPIdentity contracts are designed to handle ETH transfers via specific payable functions:

MembershipERC1155: via callExternalContract is a payable function that allows authorized roles OWP_FACTORY_ROLE to perform external calls, potentially transferring ETH.
NativeMetaTransaction: via executeMetaTransaction is another payable function enabling users to execute meta-transactions, which may include ETH transfers.

Despite these capabilities, none of these contracts implement explicit receive or fallback functions.

Impact

If a user mistakenly sends ETH directly to the contract address without invoking the intended payable functions, the transaction will revert, preventing the accidental locking of funds. However, in the absence of receive or fallback functions, there is no graceful handling or redirection of such transfers.

Tools Used

Manual Review

Recommendations

Define a fallback function to handle unexpected function calls or ETH transfers that do not match any existing function signatures. Also define a receive function to handle plain ETH transfers.