/// @notice Refund any excess ETH sent to the contract.
/// @dev This function is called after minting tokens to refund any ETH left in the contract after all fees have been collected.
function _refundExcess() internal {
if (msg.value > 0 && address(this).balance > 0) {
msg.sender.safeTransferETH(address(this).balance);
}
}
Impact
Some user can lose funds while other user can get more funds in return.
Code Snippet
Consider these Scenarios
Scenario A:
User A calls the mint method
In the end, he spent $20 more than was needed.
In a normal scenario, this $20 would have been refunded, but due to gas prices being high as they normally are on the ETH Mainnet,.
These funds are stuck in the contract.
Scenario B:
User B calls the mint method
In the end, he spent $100 more than was needed.
This amount is enough to pay for the gas, but the total amount that he would receive ( considering $30 in gas fees) will be:
Actual amount :$90 ($100+$20-$30)
Expected amount: $70 ($100-$30)
Tool used
Manual Review
Recommendation
Implement a new mechanism that emits an event whenever user excess funds are stuck in the protocol so that later either ADMIN or some new role can refund this and also have an internal accounting system for such excess funds in the Edition contract.
maushish
high
_refundExcess()
current implementation could get transactions reverted.Summary
The current implementation of the
_refundExcess
method could make some users spend more funds in the minting process while others can get more funds.Vulnerability Detail
In the current implementaion we are using
address(this).balance
there could be a scenarios when gas fees is more than the current contract's balance especially on the ETH MAINNET, due to which this function will simply revert the txn. https://github.com/sherlock-audit/2024-04-titles/blob/main/wallflower-contract-v2/src/editions/Edition.sol#L512Impact
Some user can lose funds while other user can get more funds in return.
Code Snippet
Consider these Scenarios Scenario A:
mint
methodScenario B:
mint
methodManual Review
Recommendation
Implement a new mechanism that emits an event whenever user excess funds are stuck in the protocol so that later either
ADMIN
or some new role can refund this and also have an internal accounting system for such excess funds in theEdition
contract.