Closed sherlock-admin3 closed 4 months ago
Escalate
This is a duplicate of #269
Escalate
This is a duplicate of #269
You've created a valid escalation!
To remove the escalation from consideration: Delete your comment.
You may delete or edit your escalation comment anytime before the 48-hour escalation window closes. After that, the escalation becomes final.
Agree with the escalation, planning to accept and duplicate with #269
Result: High Duplicate of #269
KupiaSec
high
Design Flaw in
Edition::_refundExcess
Function ImplementationSummary
The Edition::_refundExcess function is designed to refund any excess
Ether
sent by minters during the mint process. However, the current implementation directs the entireEther
balance of theEdition
to theFeeManager
contract, leaving no funds remaining to facilitate the intended refund functionality. As a result, theEdition::_refundExcess
function is unable to return excessEther
payments to the minters. On the other hand, anyone can withdraw the entire Eth balance of the Edition through Edition.mint functions which callsEdition::_refundExcess
.Vulnerability Detail
The Edition::_refundExcess function is invoked during the edition minting process.
The current implementation of the
Edition::_refundExcess
function is as follows::As evident from the provided code, the
Edition::_refundExcess
function refunds remaining balance of theEdition
after the minting process. However, the current implementation directs theEther
to theFeeManager
contract, leaving no funds remaining to facilitate the intended refund functionality.On the other hand, if there is some
Eth
inEdition
, anyone can receive the entireEth
balance ofEdition
by calling this function. The only prevelidged address should be able to withdraw theEth
balance of theEdition
.Impact
Edition::_refundExcess
function is unable to refund the excess funds, resulting in a financial loss for the minters.Eth
balance of theEdition
.Code Snippet
https://github.com/sherlock-audit/2024-04-titles/blob/d7f60952df22da00b772db5d3a8272a988546089/wallflower-contract-v2/src/editions/Edition.sol#L512
https://github.com/sherlock-audit/2024-04-titles/blob/d7f60952df22da00b772db5d3a8272a988546089/wallflower-contract-v2/src/editions/Edition.sol#L236
https://github.com/sherlock-audit/2024-04-titles/blob/d7f60952df22da00b772db5d3a8272a988546089/wallflower-contract-v2/src/editions/Edition.sol#L262
https://github.com/sherlock-audit/2024-04-titles/blob/d7f60952df22da00b772db5d3a8272a988546089/wallflower-contract-v2/src/editions/Edition.sol#L287
https://github.com/sherlock-audit/2024-04-titles/blob/d7f60952df22da00b772db5d3a8272a988546089/wallflower-contract-v2/src/editions/Edition.sol#L311
Tool used
Manual Review
Recommendation
It is recommended to implement the refund functionality for excess mint fees in the
FeeManager
contract, rather than theEdition
contract.Duplicate of #269