Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

receive() function in Router allows locking of accidentally sent user’s BNB #126

Open
code423n4 opened this issue Jul 21, 2021 · 2 comments
Open

receive() function in Router allows locking of accidentally sent user’s BNB #126

code423n4 opened this issue Jul 21, 2021 · 2 comments
Assignees
@verifyfirst
Labels
0 (Non-critical) bug Something isn't working sponsor acknowledged

Comments

@code423n4
Copy link
Contributor

Handle

0xRajeev

Vulnerability details

Impact

The receive() function is executed on a call to the contract with empty calldata and is the function that is executed on plain BNB transfers via .send() or .transfer(). The presence of an empty receive() function will allow arbitrary BNB accidentally sent to this contract to get locked in the contract causing fund loss to users.

It is not clear why this is required given that the logic should only support receiving of BNB by the specific payable functions (add/swap assets) as it already does.

Proof of Concept

https://github.com/code-423n4/2021-07-spartan/blob/e2555aab44d9760fdd640df9095b7235b70f035e/contracts/Router.sol#L39

payable functions:
https://github.com/code-423n4/2021-07-spartan/blob/e2555aab44d9760fdd640df9095b7235b70f035e/contracts/Router.sol#L46

https://github.com/code-423n4/2021-07-spartan/blob/e2555aab44d9760fdd640df9095b7235b70f035e/contracts/Router.sol#L51

https://github.com/code-423n4/2021-07-spartan/blob/e2555aab44d9760fdd640df9095b7235b70f035e/contracts/Router.sol#L74

https://github.com/code-423n4/2021-07-spartan/blob/e2555aab44d9760fdd640df9095b7235b70f035e/contracts/Router.sol#L79

https://github.com/code-423n4/2021-07-spartan/blob/e2555aab44d9760fdd640df9095b7235b70f035e/contracts/Router.sol#L154

https://github.com/code-423n4/2021-07-spartan/blob/e2555aab44d9760fdd640df9095b7235b70f035e/contracts/Router.sol#L163

https://github.com/code-423n4/2021-07-spartan/blob/e2555aab44d9760fdd640df9095b7235b70f035e/contracts/Router.sol#L168

https://github.com/code-423n4/2021-07-spartan/blob/e2555aab44d9760fdd640df9095b7235b70f035e/contracts/Router.sol#L229

Tools Used

Manual Analysis

Recommended Mitigation Steps

Remove this function or document why it is required.
@code423n4 code423n4 added 1 (Low Risk) bug Something isn't working labels Jul 21, 2021
code423n4 added a commit that referenced this issue Jul 21, 2021
@code423n4
0xRajeev issue #126
856a8b5
@verifyfirst
Copy link
Collaborator

Recieve function is needed for BNB transfers

@ghoul-sol
Copy link
Collaborator

Making this non-critical as it is a best practice.

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees

@verifyfirst verifyfirst

Labels
0 (Non-critical) bug Something isn't working sponsor acknowledged
Projects
None yet
Milestone
No milestone
Development

No branches or pull requests
3 participants
@verifyfirst @ghoul-sol @code423n4