Summary

The identified vulnerability involves multiple contracts where Ether (ETH) can be received but not withdrawn. Specifically, in the contracts MockChainlinkVerifier.sol, MockCurveStrategyRouter.sol, MockUniswapV2SwapStrategyRouter.sol, and MockUniswapV3SwapStrategyRouter.sol, the payable attribute is present, allowing ETH to be received without providing any mechanism to withdraw it. This can lead to unintended Ether lockups.

Vulnerability Details

The vulnerability arises due to the absence of a withdrawal function in contracts that are capable of receiving ETH via the payable attribute. While the ability to receive ETH may be intentional for some contracts, not having a withdrawal mechanism creates a situation where:

• ETH accidentally sent to these contracts becomes irretrievable.

• Users or developers may lose funds unintentionally.

Affected Contracts

1. MockChainlinkVerifier.sol

   • The contract includes a payable function but lacks a withdrawal mechanism.

2. MockCurveStrategyRouter.sol

   • Similar to the above, ETH can be received but not withdrawn.

3. MockUniswapV2SwapStrategyRouter.sol

   • ETH received by the contract cannot be accessed.

4. MockUniswapV3SwapStrategyRouter.sol

   • ETH locked in the contract due to missing withdrawal functionality.

Code Snippet

Example of the payable function without a corresponding withdrawal:

Impact

• Financial Loss: ETH sent to these contracts, either intentionally or by mistake, is irrecoverable.

• User Frustration: Users might inadvertently lose funds, causing a negative user experience.

• Reputation Risk: Persistent vulnerabilities like this may harm trust in the platform or project.

Tools Used

Tools Used

1. Remix IDE: To analyze the contracts and identify the presence of the payable attribute.

2. Slither: To detect functions capable of receiving ETH without corresponding withdrawal mechanisms.

Recommendations

Remove the payable Attribute:

• If the contracts are not designed to handle ETH, explicitly avoid accepting ETH by removing the payable modifier.

  // Replace this:

  function() external payable { }

  ​

  // With this:

  function() external { revert("Contract does not accept ETH"); }

  ​

• Add a Withdrawal Mechanism:

  • If ETH needs to be accepted, implement a secure withdrawal function that allows only authorized users to withdraw the funds.

  Example:

  contract Example {

  address public owner;

  ​

  constructor() {

  owner = msg.sender;

  }

  ​

  // Accept ETH

  receive() external payable {}

  ​

  // Withdraw ETH

  function withdraw() external {

  require(msg.sender == owner, "Only owner can withdraw");

  (bool success, ) = owner.call{value: address(this).balance}("");

  require(success, "Withdrawal failed");

  }

  }

• Integrate Access Controls:

  • Use access control libraries like OpenZeppelin's Ownable to restrict withdrawal to authorized addresses.

  import "@openzeppelin/contracts/access/Ownable.sol";

  ​

  contract Example is Ownable {

  receive() external payable {}

  ​

  function withdraw() external onlyOwner {

  payable(owner()).transfer(address(this).balance);

  }

  }

• Document Functionality Clearly:

  • Ensure users and developers are aware of the contract's ability to handle ETH and the steps to retrieve it if necessary.