Closed c4-bot-2 closed 1 month ago
This vulnerability was marked as invalid with comments 'msg.value is ETH with 18 decimals'. The actual vulnerability is not reliant on any specific msg.value
, more so that msg.value > _forgerListingInfo.fee
and msg.value < totalDevWeight
totalDevWeight
is something accrued over time as more devs are added to the fund. If the totalDevWeight
is made too large, small value donations will be sent to the owner unintentionally.
If the totalDevWeight is made too large, small value donations will be sent to the owner unintentionally
A general statement and theoretical.
Lack of specific numbers can not help for assessing the severity. Furthermore, totalDevWeight is controlled by the owner.
Given above, this would be a QA
Lines of code
https://github.com/code-423n4/2024-07-traitforge/blob/279b2887e3d38bc219a05d332cbcb0655b2dc644/contracts/DevFund/DevFund.sol#L16-L18
Vulnerability details
Impact
The
DevFund
contract acts as a donation and dao treasury that can fund approved developers based on agreed weighting given to each developer. However, due to rounding errors, unfavorable conditions can cause entire donation amounts to be transferred to theowner
account instead of the approved developers.The following snippet shows how rewards are split, allocating excess amounts to the owner:
If
msg.value < totalDevWeight
the donation sent to thereceive()
function will result in anamountPerWeight == 0
. This results inremaining == msg.value
being sent to the owner.This is unintended behavior and it can't be expected that every account donating should donate an amount of at least
totalDevWeight
or risk there funds being transferred elsewhere.Proof of Concept
A snapshot of the test that reproduces this issue is located below. For full test suite and setup please go to the following repository.
The command to run the test is
forge test --match-test testFailOwnerReceivesRemainingWhenTotalDevWeightLessThanFunding
Tools Used
Manual Review, Forge/Foundry
Recommended Mitigation Steps
Several options should be considered;
totalDevWeight > msg.value
(use this method if the expectation is that users are only allowed to donate successfully if their donation is at leasttotalDevWeight
)Assessed type
Rug-Pull