Locked Ether in LikeRegistry Contract
Summary
The LikeRegistry contract is able to receive Ether, but it is not able to withdraw it if the Ether is not sent using the likeUser function. This results in funds being locked in the contract forever.
Vulnerability Details
The LikeRegistry contract includes a receive function that allows it to receive Ether. However, there is no mechanism to withdraw Ether that is sent directly to the contract (not through the likeUser function). The withdrawFees function only allows the owner to withdraw the fees collected from the likeUser function, but not any other Ether that might be sent to the contract.
Impact
Locked Funds: Any Ether sent directly to the contract (not through the
likeUserfunction) will be locked forever, as there is no mechanism to withdraw it.User Dissatisfaction: Users who accidentally send Ether directly to the contract will lose their funds, leading to dissatisfaction and loss of trust in the platform.
Operational Inefficiency: The inability to withdraw all Ether from the contract can lead to operational inefficiencies and potential financial losses.
Tools Used
Manual code review
Recommendations
-
Implement a General Withdrawal Function: Add a function that allows the owner to withdraw any Ether held by the contract, not just the fees collected from the
likeUserfunction.function withdrawAll() external onlyOwner {uint256 contractBalance = address(this).balance;require(contractBalance > 0, "No funds to withdraw");(bool success,) = payable(owner()).call{value: contractBalance}("");require(success, "Transfer failed");}
Appeal created
invalid_receive_function
Not the best design, but if you send money accidentally, that's a user mistake. Informational.
Rewards breakdown
Live
The contest is live. Earn rewards by submitting a finding.
Appeals
This is your time to appeal against judgements on your submissions.
Appeals Review
Appeals are being carefully reviewed by our judges.