# #43987 \[SC-Low] Unchecked low-level ETH transfer in \`Dispatcher.sol\` may lead to undetected failures **Submitted on Apr 15th 2025 at 11:22:17 UTC by @DSbeX for** [**Audit Comp | Spectra Finance**](https://immunefi.com/audit-competition/audit-comp-spectra-finance) * **Report ID:** #43987 * **Report Type:** Smart Contract * **Report severity:** Low * **Target:** * **Impacts:** ## Description ## Brief/Intro The `TRANSFER_NATIVE` command in the `Dispatcher.sol` allows users to forward ETH to any arbitrary address via a low-level .call{value: amount}(""). However, if the recipient address is a contract that does not support receiving ETH(or any other reason of which the transaction will revert), the call fails silently and user funds are locked in the contract. There is no validation of the recipient beforehand, nor is the failure communicated to the caller. ## Vulnerability Details In the `_dispatch()` function of the `Dispatcher.sol` , the following command is handled: ```javascript } else if (command == Commands.TRANSFER_NATIVE) { (address recipient, uint256 amount) = abi.decode(_inputs, (address, uint256)); (bool success, ) = payable(recipient).call{value: amount}(""); // success is not checked } ``` The failure of .call is not tracked or surfaced in any way. From the user’s perspective, ETH is sent into the Router.sol and expected to be delivered — but no indication is given if the transfer fails. While this is considered a user input error, the contract does not enforce or warn about this scenario(so the user expects it to revert if the transaction doesn't execute) — leading to silent loss of funds, even if not truly frozen or maliciously mishandled. ## Impact Details This applies to any user sending ETH through a TRANSFER\_NATIVE command to a recipient that rejects ETH or causes the .call to fail for some reason: Unexpected behavior: ETH silently fails to deliver, but execution continues. Poor user experience: users are not alerted and all their funds that were meant for this transaction are locked No mechanism is provided for recovery or refund. ## References `_dispatch()` in `Dispatcher.sol`: ## Proof of Concept ## Proof of Concept 1. User sends ETH via TRANSFER\_NATIVE to a non-payable contract. 2. ETH is accepted into the Router via msg.value. 3. .call to the recipient fails silently. (because of the non-payable contract) 4. Execution continues, user is unaware of failure. 5. ETH remains in the Router with no recovery method. --- # Agent Instructions: Querying This Documentation If you need additional information that is not directly available in this page, you can query the documentation dynamically by asking a question. Perform an HTTP GET request on the current page URL with the `ask` query parameter: ``` GET https://reports.immunefi.com/spectra-finance/43987-sc-low-unchecked-low-level-eth-transfer-in-dispatcher.sol-may-lead-to-undetected-failures.md?ask= ``` The question should be specific, self-contained, and written in natural language. The response will contain a direct answer to the question and relevant excerpts and sources from the documentation. Use this mechanism when the answer is not explicitly present in the current page, you need clarification or additional context, or you want to retrieve related documentation sections.