When the user is a smart contract, the user may not be able to withdraw ETH through the withdraw function #49
Labels
bug
Something isn't working
disagree with severity
Sponsor confirms validity, but disagrees with warden’s risk assessment (sponsor explain in comments)
downgraded by judge
Judge downgraded the risk level of this issue
grade-c
QA (Quality Assurance)
Assets are not at risk. State handling, function incorrect as to spec, issues with clarity, syntax
unsatisfactory
does not satisfy C4 submission criteria; not eligible for awards
Lines of code
https://github.com/code-423n4/2022-11-non-fungible/blob/323b7cbf607425dd81da96c0777c8b12e800305d/contracts/Pool.sol#L44-L50
Vulnerability details
Impact
In the Exchange contract, when paymentToken == POOL, the user's balance in the Pool contract will be increased.
In the Pool contract, the wrapped ETH cannot be transferred by the owner and can be withdrawn only by the owner himself.
If the user is a smart contract and will be reverted in the fallback/receive function, the user's ETH will not be able to be withdrawn.
This vulnerability is similar to the one I previously reported in foundation, which is marked as medium.
code-423n4/2022-02-foundation-findings#12
Proof of Concept
https://github.com/code-423n4/2022-11-non-fungible/blob/323b7cbf607425dd81da96c0777c8b12e800305d/contracts/Pool.sol#L44-L51
Tools Used
None
Recommended Mitigation Steps
Consider allowing the user to specify the recipient in the withdraw function
The text was updated successfully, but these errors were encountered: