search
Active Boosts

#44091 [SC-Low] Lack of ETH transfer check leads to stolen funds

Submitted on Apr 16th 2025 at 20:12:20 UTC by @din for Audit Comp | Spectra Financearrow-up-right

  • Report ID: #44091

  • Report Type: Smart Contract

  • Report severity: Low

  • Target: https://github.com/immunefi-team/Spectra-Audit-Competition/blob/main/src/router/Dispatcher.sol

  • Impacts:

    • Direct theft of any user funds, whether at-rest or in-motion, other than unclaimed yield

hashtag
Description

hashtag
Brief/Intro

Dispatcher.sol does not check if the low lvl call for sending ETH is successfull. If the call fails, the tx does not revert and the users funds remain stuck in the contract, without any way for the user to know that his funds did not reach the destination address. A malicious user can steal those stuck funds immedeately.

hashtag
Vulnerability Details

The TRANSFER_NATIVE command does not check if the low lvl call is successfull.

     else if (command == Commands.TRANSFER_NATIVE) {
        (address recipient, uint256 amount) = abi.decode(_inputs, (address, uint256));
        (bool success, ) = payable(recipient).call{value: amount}(""); <@
    }

As a result, all failed calls will NOT cause the execute() call to revert. ETH sent from the user will be stuck in the Router/Dispatcher contracts

hashtag
Impact Details

Stolen user funds from their failed ETH transfers. An attacker can call execute and transfer their ETH to his address

hashtag
References

https://github.com/immunefi-team/Spectra-Audit-Competition/blob/main/src/router/Dispatcher.sol?utm_source=immunefi#L483C1-L486C11

hashtag
Proof of Concept

hashtag
Proof of Concept

  1. A honest user calls Dispatcher::execute() with command: TRANSFER_NATIVE and sends 10 eth to a recepient contract

  2. The recepient contract fallback() reverts due to logic which freezes any transfers to it due to custom conditions met. For example: Admin has paused any transfers between 10pm-12pm . Or the recipient is a malicious contract that reverts when the fallback() is called.

  3. The honest user Dispatcher::execute() tx is successful, however his funds remain stuck in the contract, without him knowing it.

  4. A malicious user immediately calls Dispatcher::execute() TRANSFER_NATIVE and sends the stuck funds to his address.

Previous#44167 [SC-Medium] Incorrect balance check in PT redemption commandsNext#43469 [SC-Low] Return value of low level call not checked can cause silent Reverts

Was this helpful?