Cuddly Ocean Gibbon - Locked ether in CollectionShutdown due to incorrect implementation of receive() function

[sherlock-admin4]

Cuddly Ocean Gibbon

Medium

Locked ether in CollectionShutdown due to incorrect implementation of receive() function

Summary

This is an error from the category: Contract can receive ether, but cannot withdraw it. Funds that were received by the contract not from registered sudoswap pools remain on it without the possibility of being withdrawn.

Thus, native tokens remain locked in the contract and disappear from general circulation.

Examples of such errors:

[1](https://solodit.xyz/issues/m-06-possible-locked-ether-funds-issue-in-rcorderbooksol-code4rena-reality-cards-reality-cards-contest-git), [2](https://solodit.xyz/issues/m-03-contract-can-receive-eth-but-has-no-withdraw-function-for-it-pashov-none-moleculevesting-markdown)

Vulnerability Detail

The contract does not revert funds received from unregistered Sudoswap pools. Consequently, it does not add them to availableClaim.

The only way to withdraw native tokens from the contract is to use one's availableClaim in the claim and voteAndClaim functions. Thus, the received funds for which availableClaim is not recorded remain locked in the contract.

In general, the logic of the contract and the protocol as a whole does not intend for CollectionShutdown to receive native tokens from any addresses other than Sudoswap pools.

Impact

Medium Risk - Possible loss or lock of funds that protocol can withdraw for themself.

Code Snippet

https://github.com/sherlock-audit/2024-08-flayer/blob/main/flayer/src/contracts/utils/CollectionShutdown.sol#L529-L539

Tool used

Manual Review

Recommendation

Revert in else case in receive() or add withdraw onlyOwner function