bG9zZXIvZmFpbHVyZQ
commented
3 months ago Escalate
Dup of #280
Closed sherlock-admin3 closed 4 months ago
bG9zZXIvZmFpbHVyZQ
commented
3 months ago Escalate
Dup of #280
sherlock-admin3
commented
3 months ago Escalate
Dup of #280
You've created a valid escalation!
To remove the escalation from consideration: Delete your comment.
You may delete or edit your escalation comment anytime before the 48-hour escalation window closes. After that, the escalation becomes final.
WangSecurity
commented
3 months ago Agree with the escalation, planning to accept and duplicate with #280
Evert0x
commented
3 months ago Result: Medium Duplicate of #280
sherlock-admin4
commented
3 months ago
AgileJune
high
Edition.sol::mintBatch(multi-tokens to one receiver) will always revert because of wrong implementation to call FeeManager::collectMintFee
Summary
Edition.sol::mintBatch(multi-tokens to one receiver) will always revert because of wrong implementation to callFeeManager::collectMintFee.Vulnerability Detail
A user calls the payable
Edition.sol::mintBatchfunction with the needed ETH amounts (let's say it'samountX) as fee. Then Edition contract's balance becomes amountX. and then TheEdition.sol::mintBatchfunction callsFEE_MANAGER.collectMintFeewithmsg.valueinside of for-loop. here msg.value = amountX, so after this call for first tokenId, contract's balance would be amountX - msg.value = 0. For second loop for 2nd tokenId, collectMintFee() function calling would be revert because of (msg.value > Edition's balance).Impact
As result, this mintBatch function will always revert.
Code Snippet
https://github.com/sherlock-audit/2024-04-titles/blob/main/wallflower-contract-v2/src/editions/Edition.sol#L277-L297
Tool used
Manual Review
Recommendation
Replace FEE_MANAGER.collectMintFee{value: msg.value} with FEE_MANAGER.collectMintFee{value: address(this).balance} and then in feemanger::collectMintFee() function, add code parts to refund left balance back to Edition contract.
Duplicate of #280