#38012 [SC-Insight] Unused Function in CLAdapter Contract
Was this helpful?
Was this helpful?
Submitted on Dec 21st 2024 at 17:11:08 UTC by @IlIlHunterlIlI for
Report ID: #38012
Report Type: Smart Contract
Report severity: Insight
Target: https://github.com/lombard-finance/evm-smart-contracts/blob/main/contracts/bridge/adapters/CLAdapter.sol
Impacts:
Contract fails to deliver promised returns, but doesn't lose value
The initWithdrawalNoSignatures
function in CLAdapter.sol has the onlyTokenPool
modifier but is never called from the TokenPool
contract or any other location in the codebase. This creates dead code that increases contract size and gas costs unnecessarily while potentially creating confusion about the security model around signature-less withdrawals.
The function is defined in CLAdapter.sol:
Key observations:
The function has onlyTokenPool
modifier meaning only the TokenPool contract can call it
Examining TokenPool.sol shows no calls to this function
The function allows withdrawals without signature verification unlike initiateWithdrawal
While this is not an exploitable vulnerability since the function is protected by onlyTokenPool
, it has several negative impacts:
Increased deployment costs due to unnecessary bytecode
Potential future security risks if the function is accidentally used instead of the signature-verified version
CLAdapter.sol: Line 192-198
TokenPool.sol implementation
my foundry.toml
and this is how i got the environment to be in foundry