Closed c4-bot-9 closed 6 months ago
raymondfam marked the issue as primary issue
raymondfam marked the issue as sufficient quality report
Typically, the sender is the entryPoint while account is SCW. This should generally not pose an issue but will let the sponsor review.
wilsoncusack marked the issue as disagree with severity
Account is UserOp.sender
, which must be able to respond to validation queries and we expect to be a smart account. It would have to be an intentional abuse of the system to have sender
be some address where you lose control of ETH.
wilsoncusack (sponsor) acknowledged
Requiring refunds to the multicall address where they are up for grabs for anyone is a user mistake.
3docSec marked the issue as unsatisfactory: Invalid
Lines of code
https://github.com/code-423n4/2024-03-coinbase/blob/main/src/MagicSpend/MagicSpend.sol#L161
Vulnerability details
Impact
When a user use an intermediate contract to pass along a call without the ability for this contract to receive their refund, the eth will be stuck in the intermediate contract.
Proof of Concept
postOp will send the all remaining funds to the user account using forceSafeTransferETH:
This function works by attempting to send the value to the address and, if it fails, creating a temporary contract with the balance and self destructing it to force the ETH to the address:
The issue is that, in the case of a mint, it could be harmful for the refunded ETH to be forced to the contract.
For example, let's consider a situation where a user uses the Multicaller contract at 0x000000000088228fCF7b8af41Faf3955bD0B3A41. This contract would become the msg.sender for their mint and would receive the gas refund. Since it doesn't have a receive() function, it would ordinarily revert, but in this case would have the ETH forced into the contract balance. It would then become a race between the user and MEV bots to extract the ETH.
This is one example, but this same issue exists in any situation where a user might use an intermediate contract to pass along a call without the ability for this contract to receive their refund.
Tools Used
Manual review
Recommended Mitigation Steps
Consider using safeTransferETH instead of forceSafeTransferETH, to allow the user to determine a different call path (or send the correct msg.value to avoid there being a refund).
Assessed type
ETH-Transfer