Closed howlbot-integration[bot] closed 1 month ago
koolexcrypto changed the severity to QA (Quality Assurance)
koolexcrypto marked the issue as grade-c
This previously downgraded issue has been upgraded by koolexcrypto
koolexcrypto marked the issue as duplicate of #687
koolexcrypto marked the issue as duplicate of #687
koolexcrypto marked the issue as duplicate of #218
koolexcrypto marked the issue as duplicate of #218
koolexcrypto removed the grade
koolexcrypto marked the issue as not a duplicate
koolexcrypto marked the issue as duplicate of #41
koolexcrypto marked the issue as satisfactory
Lines of code
https://github.com/code-423n4/2024-07-traitforge/blob/main/contracts/EntityForging/EntityForging.sol#L126
Vulnerability details
Impact
forgeWithListed accepts arbitrary
msg.value
and ifforgingFee
is less than that it will just hold stuck it inside the contract with no way of withdrawing it.Proof of Concept
forgeWithListed can be called with an arbitrary value, where only
forgingFee
is taken from it and the rest is left stuck inside the contract.Here is an example where due to the a network congestion the merger losses some of his ETH:
In the example above due to bad luck our merger lost 0.1 ETH. This should never be the case and the function should either return the extra or revert if the
msg.value
doesn't match the asked price.Tools Used
Manual review
Recommended Mitigation Steps
Revert if
msg.value
doesn't match price.Assessed type
Error