Submitted on Feb 26th 2024 at 21:58:19 UTC by @djxploit for Boost | Puffer Finance
Report ID: #28779
Report type: Smart Contract
Report severity: Insight
Target: https://etherscan.io/address/0xd9a442856c234a39a81a089c06451ebaa4306a72
Impacts:
- Permanent freezing of funds
The receive function of PufferVault.sol contract, is meant to receive Ether only from Lido. Hence any other ether sent to the contract (accidentally) will be forever locked in the contract, as it will not be accounted for.
Add an address check in receive() of PufferVault.sol to ensure the only address sending ETH being received in receive() is the Lido contract.
This will prevent stray Ether from being sent accidentally to this contract and getting locked.
Ethers will get permanently locked in the PufferVault contract, if they are sent from addresses other than Lido contract. Furthermore it will also affect the accounting of the totalAssets functions, as it depends on the ether balance of the contract.
https://etherscan.io/address/0xd9a442856c234a39a81a089c06451ebaa4306a72?utm_source=immunefi
Receive function of PufferVault contract
receive() external payable virtual {
VaultStorage storage $ = _getPufferVaultStorage();
if ($.isLidoWithdrawal) {
$.lidoLockedETH -= msg.value;
}
}
We can fix it by adding an address check like
receive() external payable virtual {
VaultStorage storage $ = _getPufferVaultStorage();
require($.isLidoWithdrawal, "Not allowed");
$.lidoLockedETH -= msg.value;
}