Closed sherlock-admin4 closed 2 months ago
Escalate
This is a valid issue. Please help to check. It's a duplicate of #269
Escalate
This is a valid issue. Please help to check. It's a duplicate of #269
You've created a valid escalation!
To remove the escalation from consideration: Delete your comment.
You may delete or edit your escalation comment anytime before the 48-hour escalation window closes. After that, the escalation becomes final.
Agree with the escalation, planning to accept and duplicate with #269
Result: High Duplicate of #269
ast3ros
high
Excess minting fee is not refunded to the user
Summary
The
mint
function fails to refund excess ETH sent over the required minting fee due to an oversight in the fee handling process within the contract.Vulnerability Detail
The
mint
function is designed to collect minting fees and issue tokens. It sends the entiremsg.value
, which is the ETH provided by the user, to theFEE_MANAGER
to collect fees. This design fails to account for any excess ETH beyond the actual minting fee, as allmsg.value
is transferred, leaving the contract balance at zero.https://github.com/sherlock-audit/2024-04-titles/blob/2ac20d07d0b4562c0b0ee15e1becbf786f0ed896/wallflower-contract-v2/src/editions/Edition.sol#L228-L242
However, the
_refundExcess
function attempts to refund any remaining balance to the user, but since the contract balance is zero after the fee transfer, no refund occurs:https://github.com/sherlock-audit/2024-04-titles/blob/2ac20d07d0b4562c0b0ee15e1becbf786f0ed896/wallflower-contract-v2/src/editions/Edition.sol#L512-L516
The impact exits in other functions such as
mintWithComment
andmintBatch
as well.Impact
This issue leads to users losing excess ETH sent for minting beyond the required fees, affecting trust and usability of the platform.
Code Snippet
https://github.com/sherlock-audit/2024-04-titles/blob/2ac20d07d0b4562c0b0ee15e1becbf786f0ed896/wallflower-contract-v2/src/editions/Edition.sol#L228-L242 https://github.com/sherlock-audit/2024-04-titles/blob/2ac20d07d0b4562c0b0ee15e1becbf786f0ed896/wallflower-contract-v2/src/editions/Edition.sol#L512-L516
Tool used
Manual Review
Recommendation
Implement a precise fee calculation before calling
FEE_MANAGER.collectMintFee
. Only the calculated fee should be sent to theFEE_MANAGER
contract, ensuring any excess ETH remains in the contract's balance, allowing the_refundExcess
function to properly refund the user.Duplicate of #269