Unchecked call to refund address can lead to Native tokens not to be refunded #498
Labels
2 (Med Risk)
Assets not at direct risk, but function/availability of the protocol could be impacted or leak value
bug
Something isn't working
duplicate-25
insufficient quality report
This report is not of sufficient quality
unsatisfactory
does not satisfy C4 submission criteria; not eligible for awards
Comments
|
raymondfam marked the issue as insufficient quality report |
|
raymondfam marked the issue as duplicate of #25 |
|
alex-ppg marked the issue as unsatisfactory: |
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
Lines of code
https://github.com/code-423n4/2024-01-decent/blob/011f62059f3a0b1f3577c8ccd1140f0cf3e7bb29/src/UTBExecutor.sol#L54
https://github.com/code-423n4/2024-01-decent/blob/011f62059f3a0b1f3577c8ccd1140f0cf3e7bb29/src/UTBExecutor.sol#L67
Vulnerability details
Impact
Medium
Proof of Concept:
There is no check for the success of the refund call to refund addresses. As a result, extra native tokens may not be refunded if the address does not support refunds, potentially causing ETH to remain stuck in UTBExecutor with no extraction capability.
Tools Used:
Manual assessment
Recommended Mitigation Steps:
Add a functionality to withdraw native tokens from UTBExecutor that remain stuck
Assessed type
ETH-Transfer
The text was updated successfully, but these errors were encountered: