millietez - Sent native ether will not be recorded in the contract

[sherlock-admin2]

millietez

medium

Sent native ether will not be recorded in the contract

Summary

Sent native ether will not be recorded in the contract.

Vulnerability Detail

The DepositStableCoinToDealer contract accepts ether in the form of wrapped ether (wETH). The depositStableCoin function checks the condition asset == weth && msg.value == amount in line 43 https://github.com/JOJOexchange/smart-contract-EVM/blob/aca8529979caa9e99ea48948645e041925731ef4/src/DepositStableCoinToDealer.sol#L43

If the value of asset is not equal to weth, the deposit call will not be executed. However, the user can still send msg.value, and the function will proceed to invoke the safeTransferFrom method, which is used to transfer ERC-20 tokens from the sender to the contract.

From the user's perspective, if they make a mistake in specifying the asset or amount and accidentally send native Ether, they may assume that the contract will handle it in the same way as the transfer of an ERC-20 token. However, the sent native ether will not be recorded in the contract. This could result in a loss of funds, as the contract will not be notified of the transfer of native Ether.

Impact

The complexity of detecting unintentional transfers and the potential loss of funds for the sender.

Code Snippet

https://github.com/JOJOexchange/smart-contract-EVM/blob/aca8529979caa9e99ea48948645e041925731ef4/src/DepositStableCoinToDealer.sol#L43

Tool used

Manual Review

Recommendation

Add a check for the absence of msg.value. If asset != weth, then msg.value should be equal to zero.

[sherlock-admin2]

1 comment(s) were left on this issue during the judging contest.

takarez commented:

invalid because { watson didn't explain how the exploit or issue might look like}

[nevillehuang]

Invalid, user input error not valid based on sherlock rules.

4. User input validation: User input validation to prevent user mistakes is not considered a valid issue.