_refundExcess in Edition is not working as intended
High
Summary
_refundExcess function in Edition is responsible for returning the unused leftover of msg.value, but is used in function which send all of msg.value in feeManager contract leaving 0 in Edition contract;
function _refundExcess() internal {
if (msg.value > 0 && address(this).balance > 0) {
msg.sender.safeTransferETH(address(this).balance);
}
}
Code above shows how mint function in Edition contract works. Mistake is coming from that in mint functions in Editioncontract calls FEE_MANAGER with all the value of msg.value leaving 0 in Edition contract leaving _refundExcess
with address(this).balance = 0;
valentin2304
high
_refundExcess
inEdition
is not working as intendedHigh
Summary
_refundExcess
function in Edition is responsible for returning the unused leftover of msg.value, but is used in function which send all of msg.value infeeManager
contract leaving 0 inEdition
contract;Vulnerability Detail
Code above shows how
mint
function inEdition
contract works. Mistake is coming from that inmint
functions inEdition
contract callsFEE_MANAGER
with all the value ofmsg.value
leaving0
inEdition
contract leaving_refundExcess
withaddress(this).balance = 0;
Impact
Loss of funds for user
Code Snippet
https://github.com/sherlock-audit/2024-04-titles/blob/main/wallflower-contract-v2/src/editions/Edition.sol#L228-#L242
Tool used
Manual Review
Recommendation
Call FEE_MANAGER with the msg.value it only needs;
Duplicate of #269