Edition._refundExcess() will not refund user funds
Summary
Edition._refundExcess() must refund any amount not used up by the minting fees to the caller. It does not work because the whole msg.value is being forwarded to the FeeManager contract and there is nothing to be refunded.
Vulnerability Detail
All functions that mint with fee - mint(), mintWithComment() and mintBatch - send the whole msg.value to the FeeManager contract and then call _refundExcess assuming the excess will be in the current contract, but it will actually be in the FeeManager contract.
ZdravkoHr.
medium
Edition._refundExcess()
will not refund user fundsSummary
Edition._refundExcess() must refund any amount not used up by the minting fees to the caller. It does not work because the whole
msg.value
is being forwarded to theFeeManager
contract and there is nothing to be refunded.Vulnerability Detail
All functions that mint with fee - mint(), mintWithComment() and mintBatch - send the whole
msg.value
to theFeeManager
contract and then call_refundExcess
assuming the excess will be in the current contract, but it will actually be in theFeeManager
contract.Impact
Refunding functionality does not work, even though it should be supported. Users will lose their funds.
Code Snippet
https://github.com/sherlock-audit/2024-04-titles/blob/d7f60952df22da00b772db5d3a8272a988546089/wallflower-contract-v2/src/editions/Edition.sol#L510-L517
Tool used
Manual Review
Recommendation
Either add a refund mechanism to
FeeManager
as well or don't send the wholemsg.value
, but just a portion of it.Duplicate of #269