Skip to content

Latest commit

 

History

History
38 lines (27 loc) · 1.14 KB

120.md

File metadata and controls

38 lines (27 loc) · 1.14 KB
Raw

Skinny Licorice Ostrich

Medium

funds cab be locked in the contract.

Summary

The receive function allows the owner to send Ether to the contract but does not provide a mechanism to withdraw it.

Vulnerability Detail

function __Messenger_init(address _counterpart, address _feeVault) internal onlyInitializing { OwnableUpgradeable.__Ownable_init(); PausableUpgradeable.__Pausable_init(); ReentrancyGuardUpgradeable.__ReentrancyGuard_init();

    // initialize to a nonzero value
    xDomainMessageSender = Constants.DEFAULT_XDOMAIN_MESSAGE_SENDER;

    counterpart = _counterpart;
    if (_feeVault != address(0)) {
        feeVault = _feeVault;
    }
}

/* solhint-enable */

// make sure only owner can send ether to messenger to avoid possible user fund loss.

@>> receive() external payable onlyOwner {}

Impact

Code Snippet

https://github.com/sherlock-audit/2024-08-morphl2/blob/main/morph/contracts/contracts/libraries/CrossDomainMessenger.sol#L90

Tool used

Manual Review

Recommendation

Implement a withdrawal function for the owner to retrieve Ether from the contract.