refunding excess ETH does not work properly

Summary

Edition.sol::_refundExcess function tries to send excess ETH sent by the user back to the user after minting but as msg.value is sent to FeeManager.sol refunding is broken.

Vulnerability Detail

Whenever a user mints tokens through Edition.sol msg.value will be forwarded to FeeManager.sol, after minting and fee distribution is complete, Edition.sol will try to refund the excess ETH sent by the user but _refundExcess function only does this if (msg.value > 0 && address(this).balance > 0), because all msg.value has been forwarded to FeeManager.sol this if statement will never be true and all of the excess ETH will stay in FeeManager.sol. At this point users have the ability to call collectMintFee to drain this ETH inside FeeManager.sol.

Impact

Refunding excess ETH does not work, excess ETH sent can be stolen.

Code Snippet

https://github.com/sherlock-audit/2024-04-titles/blob/d7f60952df22da00b772db5d3a8272a988546089/wallflower-contract-v2/src/editions/Edition.sol#L512-L516

Tool used

Manual Review

Recommendation

Consider redesigning refund process, you could move refunding operation to FeeManager.sol passing in the minter, as you are already forwarding the msg.value to FeeManager.sol, refund from there.

Duplicate of #269