LikeRegistry: Locked ETH in Contract Due to Incomplete Withdrawal Mechanism
Summary
The contract allows receiving ETH via the receive() function but lacks a mechanism to withdraw any surplus ETH that is not tracked by totalFees. The existing withdrawFees function only allows withdrawing totalFees, leaving any excess ETH permanently stuck in the contract.
Vulnerability Details
The contract includes a receive() function and it has a payable function, allowing it to accept ETH. However, the only withdrawal function, withdrawFees, is limited to withdrawing the value stored in totalFees. This means any ETH sent to the contract outside of the expected fee structure will remain inaccessible.
To address this, the withdrawSurplus function has been introduced:
This function ensures that any extra ETH that is not accounted for in totalFees can be recovered by the contract owner.
Impact
Severity: High
ETH sent to the contract outside of the fee mechanism would be permanently locked, leading to potential fund loss.
The protocol’s treasury management becomes inflexible, as only
totalFeescan be withdrawn.Users who mistakenly send ETH to the contract will have no way to recover it.
Recommended Fix
The withdrawSurplus function correctly addresses the issue by allowing the owner to withdraw excess ETH. Ensure that this function is included and properly tested before deployment to avoid permanently locked funds.
Tools Used
Manual Code Review
Foundry Testing
Appeal created
invalid_receive_function
Not the best design, but if you send money accidentally, that's a user mistake. Informational.
Rewards breakdown
Live
The contest is live. Earn rewards by submitting a finding.
Appeals
This is your time to appeal against judgements on your submissions.
Appeals Review
Appeals are being carefully reviewed by our judges.