c4-judge
commented
1 year ago berndartmueller marked the issue as unsatisfactory: Insufficient proof
Closed code423n4 closed 1 year ago
c4-judge
commented
1 year ago berndartmueller marked the issue as unsatisfactory: Insufficient proof
Lines of code
https://github.com/code-423n4/2023-01-numoen/blob/main/src/periphery/Payment.sol#L44
Vulnerability details
Impact
Malicious user can drain the entire contract and noone will be able to get refunded ethers.
Proof of Concept
Any person can create a malicios contracts and directly call that functions over time. Also any mev bot can frontrun the implementation and get the funds.
Tools Used
Manual review.
Recommended Mitigation Steps
Provide additional checks for the user refund: who can refund, whethr or not it was refunded before.