Upgraded Q -> H from 63 [1654488227536] #168

code423n4 · 2022-06-06T04:03:48Z

Judge has assessed an item in Issue #63 as High risk. The relevant finding follows:

HickupHH3 · 2022-06-06T04:05:26Z

ETH can accidentally be sent to a contract that rejects the transfer because the sent value returned by address(_to).call{value: receivedETHAmount}(''); is not actually checked.
https://github.com/code-423n4/2022-05-sturdy/blob/main/smart-contracts/LidoVault.sol#L140-L142
On line 140 a call is made to transfer ETH (bool sent, bytes memory data) = address(_to).call{value: receivedETHAmount}('');
Then on line 141 receivedETHAmount is returned.
And on line 142 the sending of ETH is checked.

Recommended Mitigation Steps
To fix this, line 141 and line 142 should be swapped.

HickupHH3 · 2022-06-06T04:06:24Z

Duplicate of #157

code423n4 added 3 (High Risk) Assets can be stolen/lost/compromised directly bug Something isn't working upgraded by judge labels Jun 6, 2022

code423n4 added a commit that referenced this issue Jun 6, 2022

Upgrade for mtz issue #168

7166b48

HickupHH3 marked this as a duplicate of #157 Jun 6, 2022

HickupHH3 closed this as completed Jun 6, 2022

HickupHH3 added the duplicate This issue or pull request already exists label Jun 6, 2022

Provide feedback