Skip to content
This repository has been archived by the owner on May 26, 2023. It is now read-only.

Latest commit

 

History

History
42 lines (22 loc) · 1.24 KB

395.md

File metadata and controls

42 lines (22 loc) · 1.24 KB
Raw

ak1

high

UXDController.sol : The contract is not calling the mintWithEth when ETH directly sent.

Summary

mintWithEth function will be used to accept the ETH from user and mint the UXD tokens.

When the UXDController has the function receive to receive the any ETH directly sent to contract by user. But it does not mint the UXD token for those caller.

Vulnerability Detail

UXDController.sol#L87-L89 - UXDController has the receive function.

/// @notice Fallback function for this contract to receive ETH
// solhint-disable-next-line no-empty-blocks
receive() external payable {}

Impact

The contract will not be minting any UXD token for an user who directly send the ether.

ETH would be locked into the contract due to un accounting.

Code Snippet

https://github.com/sherlock-audit/2023-01-uxd/blob/main/contracts/core/UXDController.sol#L87-L89

Tool used

Manual Review

Recommendation

We would suggest following approaches on directly receiving the ETH into the contract.

If the contract want to receive the ETH through the receive then call the mintWithEth inside the receive function.

otherwise, revert the call inside the receive function if contract does not want to account the ETH directly sent by this call.