code423n4 commented 1 year ago

Lines of code

https://github.com/code-423n4/2023-06-lukso/contracts/LSP6KeyManager/LSP6KeyManagerCore.sol#L145-L175 https://github.com/code-423n4/2023-06-lukso/contracts/LSP6KeyManager/LSP6KeyManagerCore.sol#L192-L234

Vulnerability details

Impact

The use of msg.value in a loop in different places in the contract can introduce potential risks. The contract accepts Ether as part of its execution and relay calls. If the contract's logic does not handle or validate the msg.value appropriately, it can result in unintended Ether transfers. For example, if the contract expects a specific amount of Ether for a particular operation and msg.value is not properly validated, it can lead to Ether being locked in the contract or transferred incorrectly.

Proof of Concept

LSP6KeyManagerCore.executeBatch(uint256[],bytes[]) use msg.value in a loop: revert LSP6BatchInsufficientValueSent(uint256,uint256)(totalValues,msg.value)

https://github.com/code-423n4/2023-06-lukso/contracts/LSP6KeyManager/LSP6KeyManagerCore.sol#L145-L175

LSP6KeyManagerCore.executeBatch(uint256[],bytes[]) use msg.value in a loop: (totalValues += values[ii]) > msg.value

https://github.com/code-423n4/2023-06-lukso/contracts/LSP6KeyManager/LSP6KeyManagerCore.sol#L145-L175

LSP6KeyManagerCore.executeRelayCallBatch(bytes[],uint256[],uint256[],uint256[],bytes[]) use msg.value in a loop: (totalValues += values[ii]) > msg.value

https://github.com/code-423n4/2023-06-lukso/contracts/LSP6KeyManager/LSP6KeyManagerCore.sol#L192-L234

LSP6KeyManagerCore.executeRelayCallBatch(bytes[],uint256[],uint256[],uint256[],bytes[]) use msg.value in a loop: revert LSP6BatchInsufficientValueSent(uint256,uint256)(totalValues,msg.value)

https://github.com/code-423n4/2023-06-lukso/contracts/LSP6KeyManager/LSP6KeyManagerCore.sol#L192-L234