Pieces Protocol

First Flight #32

Beginner FriendlyFoundrySolidityNFT

100 EXP

View results

Previous Next

Submission Details

Severity: high

Invalid

Potential Issue with Direct Ether Transfer without receive()

osuolale

Summary

The `buyOrder` function uses `call` to transfer Ether directly to the seller and the contract owner for fees.

However, there's no `receive()` function implemented in the contract, which could lead to unintended behavior or failures in Ether transfers under certain conditions:

Without `receive()` : If the recipient addresses (seller or owner) are contracts without a `receive()` or `fallback()` function, the Ether transfer via `call` might fail or behave unexpectedly. This is because the `call` operation attempts a low-level call, which, if not handled, will revert if the recipient is a contract without a payable function.

Vulnerability Details

Impact

1. Payment Failures: Without a `receive()` function, payments to contract addresses might fail, leading to funds being stuck in the `TokenDivider` contract or transactions reverting entirely.

2. User Experience: If users interact with addresses that can't receive Ether, they might not understand why their transaction failed or why they didn't receive their payment.

3. Security: While not directly a security vulnerability, it could be exploited in scenarios where an attacker could manipulate addresses to cause transaction failures, potentially leading to denial-of-service conditions or unexpected behavior.

Tools Used

Manual Review

Recommendations

To ensure the function works as expected and to enhance Ether handling:

1. Implement `receive()`:

Add a `receive()` function to handle direct Ether transfers. This would make the contract explicitly payable and help manage Ether sent directly to the contract address.

```solidity

receive() external payable {}

```

2. Fallback Function:

Optionally, a `fallback()` function can be added for handling any non-existing functions called with Ether, though this is less necessary if you're not expecting generic function calls.

```solidity

fallback() external payable {}

```

3. Error Handling:

Consider adding checks or events to log when payments fail due to the recipient not being able to accept Ether. This can help in debugging and user experience.

4. Testing:

Ensure tests cover scenarios where the recipient is a contract with and without payable functions to validate that payments work as expected.

Updates

Lead Judging Commences

fishy Lead Judge 5 months ago

Submission Judgement Published

Invalidated

Reason: Non-acceptable severity

Rewards breakdown

nSLOC

181

This contest has a flat reward structure with the following payouts:

High

100 EXP

Medium

20 EXP

Low

2 EXP

Live

The contest is live. Earn rewards by submitting a finding.

Judging

Submissions are being carefully reviewed by our judges.

View all submissions

Appeals

This is your time to appeal against judgements on your submissions.

Appeals Review

Appeals are being carefully reviewed by our judges.

Rewards Distribution

The contest is complete and the rewards are being distributed.

View results

Support

FAQs

Can't find an answer? Chat with us on Discord, Twitter or Linkedin.