A reverting fallback function will lock up all payouts
Report ID
#12333
Target
Report type
Smart Contract
Impacts
Permanent freezing of funds
Has PoC?
Yes
Bug Description
In Address.sol, the internal function sendvalue() reverts if the transfer does not succeed: function sendValue(address payable recipient, uint256 amount) internal { require(address(this).balance >= amount, "Address: insufficient balance");
// solhint-disable-next-line avoid-low-level-calls, avoid-call-value
(bool success, ) = recipient.call{ value: amount }("");
require(success, "Address: unable to send value, recipient may have reverted");
}sendValue() is called to send value. If any of the recipients of an sendValue is a smart contract that reverts, then the entire payout will fail and will be unrecoverable
Impact
Loss of fund
Risk Breakdown
Difficulty to Exploit: Easy Weakness: CVSS2 Score:
References
Proof of concept
BIC Response
This is not a security bug report because sendValue() is part of the Address.sol contract from OpenZeppelin, but this function actually is not even used in that ERC20 token contract.
Due to these reasons, we are closing the submission and no reward will be issued.
Halborn Response
This report does not really make much sense. I believe we are talking about this contract:Β https://etherscan.io/address/0x1BEA0050E63e05FBb5D8BA2f10cf5800B6224449?utm_source=immunefi#code.
sendValue()Β is part of the Address.sol contract from OpenZeppelin, but this function actually is not even used in that ERC20 token contract. And even if it was used, I see no issue with it.