Closed howlbot-integration[bot] closed 1 month ago
koolexcrypto changed the severity to QA (Quality Assurance)
koolexcrypto marked the issue as grade-c
This previously downgraded issue has been upgraded by koolexcrypto
koolexcrypto marked the issue as duplicate of #687
koolexcrypto marked the issue as duplicate of #687
koolexcrypto marked the issue as duplicate of #218
koolexcrypto marked the issue as duplicate of #218
koolexcrypto changed the severity to QA (Quality Assurance)
Lines of code
https://github.com/code-423n4/2024-07-traitforge/blob/549e6891a6fcac4eed095b305f5cce8ca166ce51/contracts/EntityForging/EntityForging.sol#L126
Vulnerability details
Impact
The
EntityForging
contract requires the user (merger's owner) to provide ETH (in msg.value) forforgeWithListed
call to pay the forger listing fee. But if the user has provided more ETH than theforgingFee
, then this excess ETH isn't refunded back to user.Proof of Concept
Observe the
forgeWithListed
function:In the above function, the condition in the require statement allows the user to pass msg.value >= forgingFee, but in the ETH transfer processing step, this function only sends an exact amount equal to devFee + forgerShare = forgingFee, the excess ETH is not refunded back to the user.
Tools Used
Manually Review
Recommended Mitigation Steps
Solution 1: Force the
msg.value
must be equal to theforgingFee
Fix the conditional in the require statement as:Solution 2: Refund the excess ETH back to the user At the end of the
forgeWithListed
function, refund the excess ETH back to the user by adding this block of code:Assessed type
ETH-Transfer