Closed howlbot-integration[bot] closed 1 month ago
koolexcrypto changed the severity to QA (Quality Assurance)
koolexcrypto marked the issue as grade-c
This previously downgraded issue has been upgraded by koolexcrypto
koolexcrypto marked the issue as duplicate of #687
koolexcrypto marked the issue as duplicate of #687
koolexcrypto marked the issue as duplicate of #218
koolexcrypto marked the issue as not a duplicate
koolexcrypto marked the issue as satisfactory
koolexcrypto marked the issue as duplicate of #41
Lines of code
https://github.com/code-423n4/2024-07-traitforge/blob/main/contracts/EntityForging/EntityForging.sol#L102-L175
Vulnerability details
Impact
Forging fees remaining in the contract may not be refunded to the caller and may be permanently locked in the contract.
Proof of Concept
The
EntityForging#forgeWithListed()
is a function where a Merger is forged with a Forger.As you can see, in the provided code snippet, only the corresponding
forgingFee
is expected to be sent to theNukeFund
contract andforgerOwner
regardless of the transmitted ETH (msg.value
). IfforgingFee
is reset before the transaction is executed for various reasons, there may be residual ETH left in the contract.Example:
fee
to 0.1 ether using thelistForForging()
function.forgeWithListed()
function withmsg.value = 0.1 ether
to forge Alice's NFT.cancelListingForForging()
function is called for various reasons (such as selling an NFT or incorrectly setting parameters) before the Bob's transaction is executed, and thelistForForging()
function is called again to reset thefee
to 0.08 ether.Tools Used
Manual Review
Recommended Mitigation Steps
It is recommended to implement a mechanism to refund the remaining funds to the caller.
Assessed type
Payable