search

sherlock-audit / 2024-04-titles-judging

10 stars 7 forks source link

techOptimizor - Attacker can avoid paying mint fee by using any ETH excesses in feemanager #293

Closed sherlock-admin4 closed 5 months ago

sherlock-admin4 commented 5 months ago

techOptimizor

medium

Attacker can avoid paying mint fee by using any ETH excesses in feemanager

Summary

Attacker can avoid paying mint fee by using any ETH excesses in feemanager

Vulnerability Detail

An attacker can call mint with 0 msg.value if there is any excess excesses in feemanager because the feemanager does not verify where enough fee was sent but uses it balance to pay making it possible that any excess in the feemanager be drain out.

 function mint(
        address to_,
        uint256 tokenId_,
        uint256 amount_,
        address referrer_,
        bytes calldata data_
    ) external payable override {
        // wake-disable-next-line reentrancy
        FEE_MANAGER.collectMintFee{value: msg.value}(
            this, tokenId_, amount_, msg.sender, referrer_, works[tokenId_].strategy
        );

        _issue(to_, tokenId_, amount_, data_);
        _refundExcess();
    }

No verification if msg.value is actully up to the mint fee 

  function collectMintFee(
        IEdition edition,
        uint256 tokenId_,
        uint256 amount_,
        address payer_,
        address referrer_,
        Strategy calldata strategy_
    ) external payable {
        _collectMintFee(
            edition, tokenId_, amount_, payer_, referrer_, getMintFee(strategy_, amount_)
        );
    }

Impact

protocol wont be able to withdraw excess as it would all be drain out

Code Snippet

https://github.com/sherlock-audit/2024-04-titles/blob/main/wallflower-contract-v2/src/fees/FeeManager.sol#L183

Tool used

Manual Review

Recommendation

Verify the right msg.value is sent

Duplicate of #269