Closed sherlock-admin2 closed 8 months ago
1 comment(s) were left on this issue during the judging contest.
takarez commented:
invalid: this is a loss for user and that he should have a fallback function
Invalid, user error not valid based on sherlock rules. It is keepers responsibility to ensure the contract/EOA they are calling updatePythPrice()
from can receive the refunds appropriately
0x_Sanzcy
medium
Non refundable Fees sent to pay the Pyth off-chain oracle will be locked in the contract
Summary
updatePythPrice
function takes a fee when users update the price data, the fees is sent along with the call asmsg.value
and the fees is deducted from it, if there's any left overvalue
after the call it is refunded back to the user. The issue is when the user have a fallback function to reject all incoming Eth the user won't be able to receive the refund and there's no way to retrieve such failed transaction Eth from theoracleModule
contract.Vulnerability Detail
The function is marked payable indicating the function can receive ETH, the fees is then calculated in the
getUpdateFee
function which returns the amount of fee the user will pay for the update.If the user sent more Eth than required for the fee the rest is sent back to the sender
Which reverts on failure if the refund fails.
Impact
Non refundable Eth will remain locked on the contract
Code Snippet
https://github.com/sherlock-audit/2023-12-flatmoney/blob/main/flatcoin-v1%2Fsrc%2FOracleModule.sol#L64-L76
Tool used
Manual Review
Recommendation
Include a function to retrieve nonrefundable Eth from the contract