Skip to content
This repository has been archived by the owner on Oct 1, 2023. It is now read-only.

0x52 - Timelock is expected to be able to send ETH but doesn't have any payable functions to receive ETH #427

Closed
sherlock-admin opened this issue Mar 27, 2023 · 0 comments
Closed

0x52 - Timelock is expected to be able to send ETH but doesn't have any payable functions to receive ETH #427

sherlock-admin opened this issue Mar 27, 2023 · 0 comments
Labels
Non-Reward This issue will not receive a payout

Comments

@sherlock-admin
Copy link
Contributor

sherlock-admin commented Mar 27, 2023
edited by github-actions bot
Loading

0x52

medium

Timelock is expected to be able to send ETH but doesn't have any payable functions to receive ETH

Summary

TimeLock#execute sends a message value when it calls target. The issue is there is no way for the contract to have any ETH because it doesn't contain any payable functions.

Vulnerability Detail

TimeLock.sol#L113-L116

    (bool ok, bytes memory res) = _target.call{value: _value}(data);
    if (!ok) {
        revert TxFailedError(_func);
    }

When making the call to target it includes a _value which can be specified in the function calldata. The contract, however has no way to receive ETH besides a forced self destruct call. Notably it is also missing a receive or fallback function and none of it's other functions are payable.

Impact

Timelock is expected to be send/receive ETH but can't

Code Snippet

https://github.com/sherlock-audit/2023-03-Y2K/blob/main/Earthquake/src/v2/TimeLock.sol#L74-L121

Tool used

Manual Review

Recommendation

Add a payable receive

Duplicate of #387
@github-actions github-actions bot closed this as completed Apr 3, 2023
@github-actions github-actions bot added Medium A valid Medium severity issue Duplicate A valid issue that is a duplicate of an issue with `Has Duplicates` label labels Apr 3, 2023
@sherlock-admin sherlock-admin added the Reward A payout will be made for this issue label Apr 11, 2023
@sherlock-admin sherlock-admin added Non-Reward This issue will not receive a payout and removed Medium A valid Medium severity issue Duplicate A valid issue that is a duplicate of an issue with `Has Duplicates` label Reward A payout will be made for this issue labels Apr 28, 2023
Sign up for free to subscribe to this conversation on GitHub. Already have an account? Sign in.
Assignees
No one assigned
Labels
Non-Reward This issue will not receive a payout
Projects
None yet
Milestone
No milestone
Development

No branches or pull requests
1 participant
@sherlock-admin