DatingDapp
First Flight #33
Beginner FriendlyFoundrySolidityNFT
100 EXP
View results
Previous Next
Submission Details
Severity: low
Invalid

Absence of Transfer Function Causes Funds being Irrecoverable in LikeRegistry

seeu

Summary

The LikeRegistry contract accepts Ether via its receive() function. However, if a user or external contract mistakenly sends Ether directly to the contract, there is no mechanism to recover these funds. As a result, the Ether becomes permanently locked.

Vulnerability Details

The issue stems from the absence of a recovery function for Ether not explicitly linked to protocol operations. The LikeRegistry contract tracks user balances and fees related to the likeUser() function but does not account for Ether sent outside of this process. Since the contract lacks a way to retrieve untracked funds, any Ether sent directly to the contract address becomes irrecoverable.

Impact

Accidentally sent funds remain permanently locked in the contract, leading to potential financial loss for users.

Recommendations

Introduce a recovery function, restricted to the contract owner, to withdraw untracked Ether without affecting protocol-managed balances (e.g., totalFees). Following, an example on how to implement this function:

function recoverStuckETH(address payable recipient, uint256 amount) external onlyOwner {
require(amount <= address(this).balance - totalFees, "Cannot withdraw protocol fees");
(bool success,) = recipient.call{value: amount}("");
require(success, "Transfer failed");
}
Updates

Appeal created

n0kto Lead Judge 6 months ago
Submission Judgement Published
Invalidated
Reason: Non-acceptable severity
Assigned finding tags:

invalid_receive_function

Not the best design, but if you send money accidentally, that's a user mistake. Informational.

Support

FAQs

Can't find an answer? Chat with us on Discord, Twitter or Linkedin.