Closed sherlock-admin4 closed 5 months ago
Escalate
This is a valid issue . Also i have explained another issue in refundExcess function which can be seen from the following lines
Now another scenario for the current implmentation of the _refundExcess is that there can be scenario where mistakenly eth is send to the edition contract but also in that case the excess eth doesn't belongs to the msg.sender , so then also there is mistake in sending the excess eth to the next user which calls the mint function.
Any excess eth sent to the contract can be considered as a user mistake but sending the eth to the next msg.sender of the mint functionlity is also wrong therefore it is an issue.
Atleast it is a duplicate of #269 . From the above lines i have also explained a unique issue, so it can be considered as a different issue too. Leaving it to the judges.
Escalate
This is a valid issue . Also i have explained another issue in refundExcess function which can be seen from the following lines
Now another scenario for the current implmentation of the _refundExcess is that there can be scenario where mistakenly eth is send to the edition contract but also in that case the excess eth doesn't belongs to the msg.sender , so then also there is mistake in sending the excess eth to the next user which calls the mint function. Any excess eth sent to the contract can be considered as a user mistake but sending the eth to the next msg.sender of the mint functionlity is also wrong therefore it is an issue.
Atleast it is a duplicate of #269 . From the above lines i have also explained a unique issue, so it can be considered as a different issue too. Leaving it to the judges.
You've created a valid escalation!
To remove the escalation from consideration: Delete your comment.
You may delete or edit your escalation comment anytime before the 48-hour escalation window closes. After that, the escalation becomes final.
Agree with the escalation, planning to accept and duplicate with #269
Result: High Duplicate of #269
Varun_05
high
_refundExcess implements wrong logic
Summary
refundExcess function implements wrong logic which makes it impossible to refund excess eth to the msg.sender.
Vulnerability Detail
Following is the _refundExcess function
It tries to refund excess eth which might be sent by the user when he sends eth for paying for the fees. But issue is that all the eth which user sends while minting is transferred to the fee manager contract when collectMintfee function in fee manager contract is called. Thus there is no eth left in the edition contract. Therefore every time it wouldn't refund any eth . All minting function are as follows and it can be clearly seen that all eth is forwarded to fee manager contract.
Now another scenario for the current implmentation of the _refundExcess is that there can be scenario where mistakenly eth is send to the edition contract but also in that case the excess eth doesn't belongs to the msg.sender , so then also there is mistake in sending the excess eth to the next user which calls the mint function. Any excess eth sent to the contract can be considered as a user mistake but sending the eth to the next msg.sender of the mint functionlity is also wrong therefore it is an issue.
Not only this if the excess eth sent by the user(while paying for the fees) is not returned to the user it can get accumulated in the fee manager contract and this next user who tries to mint can use this in its advantage by sending less eth while calling mint functions. Now as there would be excess eth left in the fee manager contract , the transaction wouldn't revert becasue of less eth send with the function call thus allowing a user to pay less eth as fees and get minted same amount of tokens.
Impact
This can cause excess eth to get accumulated in the fee manager contract and cause loss of eth for the user who sent excess eth. Also it can cause a malicious user to mint same amount of tokens by paying less fees.
Code Snippet
https://github.com/sherlock-audit/2024-04-titles/blob/d7f60952df22da00b772db5d3a8272a988546089/wallflower-contract-v2/src/editions/Edition.sol#L512
Tool used
Manual Review
Recommendation
Instead of checking the eth balance of the edition contract,check whether the eth balance of the fee manager is greater than zero at the end of every mint function and return that amount of eth to the msg.sender.
Duplicate of #269