Closed code423n4 closed 1 year ago
dmvt marked the issue as duplicate of #34
dmvt marked the issue as selected for report
dmvt changed the severity to 2 (Med Risk)
dmvt marked the issue as not selected for report
dmvt marked the issue as unsatisfactory: Invalid
Converted WETH is minted to the sender's account. There is nothing to refund in the scenario described.
Lines of code
https://github.com/code-423n4/2022-11-paraspace/blob/c6820a279c64a299a783955749fdc977de8f0449/paraspace-core/contracts/protocol/libraries/logic/MarketplaceLogic.sol#L63-L103 https://github.com/code-423n4/2022-11-paraspace/blob/c6820a279c64a299a783955749fdc977de8f0449/paraspace-core/contracts/protocol/libraries/logic/MarketplaceLogic.sol#L575-L591 https://github.com/code-423n4/2022-11-paraspace/blob/c6820a279c64a299a783955749fdc977de8f0449/paraspace-core/contracts/protocol/libraries/logic/MarketplaceLogic.sol#L569-L573
Vulnerability details
Impact
When user send extra ETH to
executeBuyWithCredit()
orexecuteBatchBuyWithCredit()
and tries to buy WETH token, contract would convert user ETH to WETH but it won't transfer back the extra amount user has been sent to contract. (when it doesn't convert the ETH contract sent back the extra amount). so users would lose funds in some conditions, if buying tokens has no exact price then users needs to send extra ETH and those extra amount would be lost.Proof of Concept
This is
executeBuyWithCredit()
and_depositETH()
code in Marketplace Logic contract:As you can see in
_depositETH()
when contract convert ETH to WETH it setsethLeft
as zero and function_refundETH(vars.ethLeft)
won't return the extra amount to user. the code don't support returning the extra ETH amount when it is converted to wETH. the issue happens when:executeBuyWithCredit()
by sending 110 ETH (user is not sure about exact price and wants order not to fail) and the buying order info which token is wETH.if user buy the token with ETH contract would send back extra amount but for wETH orders users would lose funds.
Tools Used
VIM
Recommended Mitigation Steps
support wETH and send back the extra amount to user