Closed code423n4 closed 2 years ago
https://github.com/code-423n4/2022-03-lifinance/blob/699c2305fcfb6fe8862b75b26d1d8a2f46a551e6/src/Facets/CBridgeFacet.sol#L68
if msg.value > amount , there is no mechanism to send extra eth back due to which user will lose extra
if msg.value > amount
function startBridgeTokensViaCBridge(LiFiData memory _lifiData, CBridgeData calldata _cBridgeData) public payable { if (_cBridgeData.token != address(0)) { uint256 _fromTokenBalance = LibAsset.getOwnBalance(_cBridgeData.token);
LibAsset.transferFromERC20(_cBridgeData.token, msg.sender, address(this), _cBridgeData.amount); require( LibAsset.getOwnBalance(_cBridgeData.token) - _fromTokenBalance == _cBridgeData.amount, "ERR_INVALID_AMOUNT" ); } else { require(msg.value >= _cBridgeData.amount, "ERR_INVALID_AMOUNT"); // @audit here , msg.value can be greater than amount }
manual review
use require(msg.value == _cBridgeData.amount)
Duplicate of #33
Lines of code
https://github.com/code-423n4/2022-03-lifinance/blob/699c2305fcfb6fe8862b75b26d1d8a2f46a551e6/src/Facets/CBridgeFacet.sol#L68
Vulnerability details
Impact
if msg.value > amount
, there is no mechanism to send extra eth back due to which user will lose extraProof of Concept
function startBridgeTokensViaCBridge(LiFiData memory _lifiData, CBridgeData calldata _cBridgeData) public payable { if (_cBridgeData.token != address(0)) { uint256 _fromTokenBalance = LibAsset.getOwnBalance(_cBridgeData.token);
Tools Used
manual review
Recommended Mitigation Steps
use require(msg.value == _cBridgeData.amount)