Closed sherlock-admin3 closed 4 months ago
Duplicate of #269 @Hash01011122
Some of the issues marked as duplicates of this issue are actually duplicates of #280
The protocol team fixed this issue in the following PRs/commits: https://github.com/titlesnyc/wallflower-contract-v2/pull/1
The Lead Senior Watson signed off on the fix.
kn0t
high
Mint Functions in
Edition
Contract Fail to Refund Excess ETH Sent by UsersSummary
In the
Edition
contract, when users mint tokens through any of the mint functions (mint
,mintWithComment
and twomintBatch
), excess ETH is not refunded. Although the_refundExcess
function is called at the end to manage this refund, the implementation within the mint functions incorrectly handles the logic, leading to the issue.Vulnerability Detail
When a user initiates a mint function, all of the
msg.value
is sent to thefeeManager
contract to collect fees. However, since thefeeManager
does not facilitate the return of excess ETH, any surplus remains within thefeeManager
contract. Consequently, the balance of theEdition
contract stays at zero, preventing_refundExcess()
from refunding any ETH to the user.Consider the
mint
function as an example (the issue persists similarly across other mint functions):Impact
Users who mint tokens using the
Edition
contract may lose the excess funds they send. This can result in financial losses and dissatisfaction among users.Code Snippet
Here is a test for PoC:
Insert the following test in the
Edition.t.sol
fileTool used
Manual Review
Recommendation
Modify the mint functions to only send the required fee to the
feeManager
and refund any excess ETH to the user. This can be implemented by adjusting the mint functions as shown in the diffs below:Duplicate of #269