Closed sherlock-admin3 closed 4 months ago
This seems like a user mistake/Low. Though might be nice to add the recommendation.
The protocol team fixed this issue in PR/commit https://github.com/Tapioca-DAO/TapiocaZ/pull/188.
Invalid, user error to send excess funds, invalid based on the following sherlock rules. The watsons also do not present a reasonable scenario where there will be excess funds not on purpose.
13 . Users sending ETH/native tokens accidentally just because a contract allows is not a valid medium/high.
hyh
medium
Any excess native token funds sent to TOFTGenericReceiverModule's
receiveWithParamsReceiver()
can be immediately extracted by anyone via back-runningSummary
msg.value - msg_.amount
can be stolen right after thereceiveWithParamsReceiver()
call each time it's big enough to cover attacker's gas costs.Vulnerability Detail
Excess funds occurrences can be expected in general in user facing operations. There also exists a share of cases when
msg.value - msg_.amount
isn't just a residue, but is material, being a result of user operational mistake. Attacker can setup a bot, automatically tracking all such events, immediately extracting these funds via back-running whenever the expected result exceeds gas costs.Impact
Native tokens are a free grab from contract balance and
msg.value - msg_.amount
can be instantly lost this way to back-running. The prerequisite is call having more thanmsg_.amount
attached, so the probability is low. Funds stealing impact has high severity.Likelihood: Low + Impact: High = Severity: Medium.
Code Snippet
In addition
msg.value - msg_.amount
excess being stolen, whenmsg_.unwrap == false
themsg.value
attached to a call will be lost in a similar way:https://github.com/sherlock-audit/2024-02-tapioca/blob/main/TapiocaZ/contracts/tOFT/modules/TOFTGenericReceiverModule.sol#L47-L67
Tool used
Manual Review
Recommendation
Consider checking for excess and zero values, e.g.:
https://github.com/sherlock-audit/2024-02-tapioca/blob/main/TapiocaZ/contracts/tOFT/modules/TOFTGenericReceiverModule.sol#L47-L67
https://github.com/sherlock-audit/2024-02-tapioca/blob/main/TapiocaZ/contracts/tOFT/modules/TOFTGenericReceiverModule.sol#L34