Lack of Recovery Function for Excessive ETH Sent
Summary
The LikeRegistry contract allows ETH to be sent via its receive function but lacks a mechanism to recover or withdraw excessive ETH. Additionally, when computing fees (e.g., totalRewards * FIXEDFEE / 100), if totalRewards is not an exact number which could cause rounding down issues, small dust amounts may accumulate over time, becoming permanently locked within the contract.
Vulnerability Details
The LikeRegistry contract has a receive function, allowing anyone to send ETH to the contract, but there is no function to withdraw these funds. Additionally, The contract performs calculations where ETH amounts are divided and fees are rounded down, leaving small dust amounts behind. Although negligible, over time, these dust amounts accumulate and become permanently locked in the contract, leading to inefficiencies in fund management.
Impact
ETH sent mistakenly or in excess cannot be recovered.
Dust amounts resulting from rounding issues accumulate indefinitely, potentially reaching significant levels over time.
The contract owner can withdraw only the explicitly tracked fees, but excess ETH from incorrect transactions remains locked.
Tools Used
Manual review
Recommendations
Implement a recover function allowing the owner to withdraw untracked ETH that is not part of user balances or fees. If owner is not to be fully trusted add additional internal accounting, so that the owner cannot rug pull the users.
Appeal created
invalid_receive_function
Not the best design, but if you send money accidentally, that's a user mistake. Informational.
Rewards breakdown
Live
The contest is live. Earn rewards by submitting a finding.
Appeals
This is your time to appeal against judgements on your submissions.
Appeals Review
Appeals are being carefully reviewed by our judges.