Club owners need to pay eth on fees when calling mintPlayers on the FootiumAcademy contract, but if it happens to be a eth surplus this wont be refunded.
Vulnerability Detail
Scenarios where it could be a surplus of eth when calling mintPlayer:
1.- Club owner sent more eth by mistake.
2.- Club owner sent the correct eth amount, but an owner transaction to reduce fees happen to reach the arbitrum sequencer first and then executed before club owner tx.
Impact
Club owners will lose any surplus of eth sent when calling mintPlayers.
0xRobocop
medium
FootiumAcademy does not return excess of Ether
Summary
Club owners need to pay eth on fees when calling
mintPlayers
on theFootiumAcademy
contract, but if it happens to be a eth surplus this wont be refunded.Vulnerability Detail
Scenarios where it could be a surplus of eth when calling
mintPlayer
:1.- Club owner sent more eth by mistake. 2.- Club owner sent the correct eth amount, but an owner transaction to reduce fees happen to reach the arbitrum sequencer first and then executed before club owner tx.
Impact
Club owners will lose any surplus of eth sent when calling
mintPlayers
.Code Snippet
https://github.com/sherlock-audit/2023-04-footium/blob/main/footium-eth-shareable/contracts/FootiumAcademy.sol#L259
Tool used
Manual Review
Recommendation
Refund the difference of
msg.value - totalFee
whenmsg.value > totalFee
.