Assessment reportsPublic findings
Back to Zellic site
Assessment reports>Voyage>High findings>Missing access control on multiple ,PaymentsFacet, functions
GeneralOverview
Findings
Critical (7)
High (6)Redeem implementationPostRelayedCall accessPaymentsFacet accessMulticall msg.valueInterest double paymentStale price oracle
Medium (3)
Low (5)
Informational (1)
DiscussionCentralization riskCode maturitySlitherOracle hardeningVoyage findingsNeedsTitle
Audit ResultsSummary
Category: Business Logic

Missing access control on multiple PaymentsFacet functions

High Severity
Low Impact
High Likelihood

Description

Multiple functions in PaymentsFacet are lacking any access control checks:

  • unwrapWETH9 unwraps and sends WETH owned by Voyage to an arbitrary address

  • wrapWETH9 wraps all the ETH balance owned by Voyage into WETH

  • sweepToken transfers any ERC20 token owned by Voyage to an arbitrary address

  • refundETH transfers all the ETH balance owned by Voyage to msg.sender

Impact

Those functions can be used to steal or transfer ETH and ERC20 assets held by the main Voyage contract. The contract only holds assets temporarily while processing transactions (e.g., buyNow), so an attacker cannot generally gain anything by using them. However, since there is no reentrancy guard, there is a risk of an attacker finding a way to reenter the contract while the contract is holding some assets.

Recommendations

Since these functions are not meant to be publicly exposed, they represent an unnecessary risk. We recommend to enforce access control to restrict usage only to the intended user.

Remediation

Commit 9a2e8f42 was indicated as containing the remediation. The issue is correctly fixed in the given commit. The four functions have been marked as internal.

Zellic © 2025Back to top ↑