ETH Sent to receive() is Permanently Locked (Loss of Funds)
Description
The contract LikeRegistry includes a receive() function that allows it to accept ETH. However, there is no mechanism to withdraw ETH sent this way, making any funds sent directly to the contract permanently inaccessible. Since receive() does not update userBalances or totalFees, this ETH is neither used for rewards nor available for withdrawal by the owner.
Impact
Any ETH sent directly to the contract is lost forever.
The contract balance can increase indefinitely, but there is no way to recover ETH that was not explicitly counted as fees.
Users who mistakenly send ETH via receive() will never be able to withdraw it, and the owner cannot retrieve it either.
Proof of Concept
1- A user sends ETH directly to the contract:
2- The contract accepts the ETH due to receive(), but the balance remains locked:
3- Since totalFees is not updated, the owner cannot withdraw this ETH via withdrawFees().
4- The ETH is permanently stuck in the contract.
Tools Used
Manual
Recommendations
1- Implement a function to allow the owner to withdraw trapped ETH:
2- Alternatively, track ETH received in userBalances to ensure usability:
3- Do not Accept
Appeal created
invalid_receive_function
Not the best design, but if you send money accidentally, that's a user mistake. Informational.
Rewards breakdown
Live
The contest is live. Earn rewards by submitting a finding.
Appeals
This is your time to appeal against judgements on your submissions.
Appeals Review
Appeals are being carefully reviewed by our judges.