Function EthosReview.sol:withdrawFunds() does not support a recipient for withdrawal different than msg.sender

Summary

EthosReview.sol:withdrawFunds() lets the contract owner withdraw funds but the only supported recipient is msg.sender

In case the contract owner is delegated to a contract, eg. Gnosis Multisig, the funds can be only transferred from EthosReview to the multisig contract and if it does not allow withdrawal and/or is not upgradeable, could lead to fund freezing

Root Cause

No response

Internal pre-conditions

No response

External pre-conditions

No response

Attack Path

No response

Impact

No response

PoC

No response

Mitigation

Implement function like this:

function withdrawFunds(address paymentToken address to) external onlyOwner {
    ...
    IERC20(paymentToken).transfer(to, IERC20(paymentToken).balanceOf(address(this)));
}

Provide feedback

Saved searches

Use saved searches to filter your results more quickly

018.md

018.md

Function EthosReview.sol:withdrawFunds() does not support a recipient for withdrawal different than msg.sender

Summary

Root Cause

Internal pre-conditions

External pre-conditions

Attack Path

Impact

PoC

Mitigation

Files

018.md

Latest commit

History

018.md

File metadata and controls

Function EthosReview.sol:withdrawFunds() does not support a recipient for withdrawal different than msg.sender

Summary

Root Cause

Internal pre-conditions

External pre-conditions

Attack Path

Impact

PoC

Mitigation