Contract can accept funds with no way of extracting them #8
Comments
|
This is not a security concern, but rather a matter of preference. Enabling trusted actors to withdraw funds out of the protocol comes with its own risks, which is why Aave v2 did not include such an ability to begin with. |
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
Github username: --
Beneficiary: 0x32cb680634a33d107FDe4CE3b0EF21F07158701B
Submission hash (on-chain): 0x547cd06bc6b1009088bb35eb62a4e97d614031a3248ec8e2f3e46461eeb89324
Severity: medium severity
Description:
Summary
Contract can accept funds with no way of extracting them
Vulnerability Detail
Contracts with payable functions (including receive) can accumulate Ether over time. If there's no method to withdraw these funds, they can remain trapped in the contract indefinitely, resulting in lost resources and a potential financial loss.
Code Snippet
VMEXOracle.sol: 35-35
VMEXOracle.sol: 409-409
Recommendation
To resolve this, a secure withdraw function should be implemented. It's recommended to limit access to this function, typically to the contract's owner or a specific set of trusted addresses. Also, to prevent re-entrancy attacks, the Checks-Effects-Interactions (CEI) pattern should be followed where state changes (effect) occur before external calls (interactions).
The text was updated successfully, but these errors were encountered: