Inheritable Smart Contract Wallet
First Flight #35
Beginner FriendlySolidity
100 EXP
View results
Previous Next
Submission Details
Severity: low
Invalid

Lack of Receiver Address Validation in sendETH and sendERC20 Functions

sakamoto

Summary

The sendETH and sendERC20 functions do not validate the _to address before initiating a transaction. This introduces a risk of accidental fund loss if ETH is sent to an invalid, inaccessible, or incorrect address. While this is not a critical security vulnerability, it can result in permanent loss of funds due to human error or misconfiguration

Vulnerability Details

The function allows the contract owner to send ETH to a specified address:

function sendERC20(address _tokenAddress, uint256 _amount, address _to) external nonReentrant onlyOwner {
if (IERC20(_tokenAddress).balanceOf(address(this)) < _amount) {
revert InsufficientBalance();
}
// No address validation of _to here
IERC20(_tokenAddress).safeTransfer(_to, _amount);
_setDeadline();
}
function sendETH(uint256 _amount, address _to) external nonReentrant onlyOwner {
// No address validation of _to here
(bool success,) = _to.call{value: _amount}("");
require(success, "Transfer Failed");
_setDeadline();
}

The issue is that there is no validation on _to, meaning:

  • ETH can be sent to the zero address (address(0))

  • ETH can be sent to an inaccessible or non-existent address, making retrieval impossible.

Impact

Permanent Loss of Funds: If _to is an invalid or inaccessible address, the transferred ETH is irretrievably lost.

Tools Used

Manual Review

Recommendations

Validate _to using a simple if condition with revert statement before transferring.

Updates

Lead Judging Commences

0xtimefliez Lead Judge 5 months ago
Submission Judgement Published
Invalidated
Reason: Non-acceptable severity

Support

FAQs

Can't find an answer? Chat with us on Discord, Twitter or Linkedin.