Closed sherlock-admin4 closed 2 months ago
Duplicate of #269 @Hash01011122
@pqseags, thanks for your input. I agree with what you mentioned as root cause and impact remains the same, can be duplicated with #269
The protocol team fixed this issue in the following PRs/commits: https://github.com/titlesnyc/wallflower-contract-v2/pull/1
The Lead Senior Watson signed off on the fix.
zoyi
high
_refundExcess
leads to funds lostSummary
_refundExcess
does not work leading to funds lost.Vulnerability Detail
If a user send more ETH than required,
_refundExcess
should refund the excess amount:Problem is that
address(this).balance
will be0
, resulting inmsg.sender.safeTransferETH(address(this).balance)
not executing.Furthermore, any person can monitor the balance of the Edition contract and just mint a (free) Edition with more than
1 wei
to suffice this check:if (msg.value > 0 && address(this).balance > 0)
and empty the contract.Proof of Concept
Put this in
Edition.t.sol
:Run this, this results in:
Alice did not get refunded leading to Alices' funds being lost.
Impact
Funds lost due to refunds not working correctly.
Code Snippet
Edition.sol#L512-L516
Tool used
Manual Review
Recommendation
Modify the
_refundExcess()
function.Duplicate of #269