Core Contracts

Summary

The RAACNFT contract allows users to mint NFTs by depositing ERC-20 tokens. However, the contract does not include a function to withdraw Ether that may have been mistakenly sent to it, leading to potential loss of funds.

Vulnerability Details

https://github.com/Cyfrin/2025-02-raac/blob/main/contracts/core/tokens/RAACNFT.sol

The contract does not have a payable function or a mechanism to withdraw mistakenly sent Ether. Since smart contracts can receive Ether through direct transfers (e.g., selfdestruct or send operations from other contracts), any Ether sent to this contract would become permanently locked, as there is no function to recover it.

Key Observations:

• The contract does not have a receive() or fallback() function to handle Ether transactions.

• There is no withdraw() function to allow the owner to retrieve any locked Ether.

• If Ether is mistakenly sent to the contract, it will be irretrievable, leading to a potential financial loss.

Impact

• Loss of Ether sent to the contract by mistake.

• Increased risk for users interacting with the contract, as they may accidentally send Ether and be unable to recover it.

Tools Used

• Manual code review

Recommendations

To prevent locked Ether, implement the following:

1. Reject Incoming Ether: Explicitly prevent Ether from being sent to the contract by adding a receive() function that reverts.

   receive() external payable {

   revert("This contract does not accept Ether");

   }

2. Withdraw Function for Owner: Allow the contract owner to recover any Ether accidentally sent.

   function withdrawEther() external onlyOwner {

   uint256 balance = address(this).balance;

   require(balance > 0, "No Ether to withdraw");

   payable(owner()).transfer(balance);

   }