search

sherlock-audit / 2024-04-titles-judging

10 stars 7 forks source link

valentin2304 - `_refundExcess` in `Edition` is not working as intended #325

Closed sherlock-admin4 closed 5 months ago

sherlock-admin4 commented 5 months ago

valentin2304

high

_refundExcess in Edition is not working as intended

High

Summary

_refundExcess function in Edition is responsible for returning the unused leftover of msg.value, but is used in function which send all of msg.value in feeManager contract leaving 0 in Edition contract;

Vulnerability Detail

    function mint(
        address to_,
        uint256 tokenId_,
        uint256 amount_,
        address referrer_,
        bytes calldata data_
    ) external payable override {
        // wake-disable-next-line reentrancy
        FEE_MANAGER.collectMintFee{value: msg.value}(
            this, tokenId_, amount_, msg.sender, referrer_, works[tokenId_].strategy
        );

        _issue(to_, tokenId_, amount_, data_);
        _refundExcess();
    }
function _refundExcess() internal {
        if (msg.value > 0 && address(this).balance > 0) {
            msg.sender.safeTransferETH(address(this).balance);
        }
    }

Code above shows how mint function in Edition contract works. Mistake is coming from that in mint functions in Editioncontract calls FEE_MANAGER with all the value of msg.value leaving 0 in Edition contract leaving _refundExcess with address(this).balance = 0;

Impact

Loss of funds for user

Code Snippet

https://github.com/sherlock-audit/2024-04-titles/blob/main/wallflower-contract-v2/src/editions/Edition.sol#L228-#L242

Tool used

Manual Review

Recommendation

Call FEE_MANAGER with the msg.value it only needs;

Duplicate of #269