Closed sherlock-admin4 closed 1 month ago
Escalate
This is a valid issue. The duplicate was accepted and is rewarded here: https://github.com/sherlock-audit/2024-04-titles-judging/issues/269
Escalate
This is a valid issue. The duplicate was accepted and is rewarded here: https://github.com/sherlock-audit/2024-04-titles-judging/issues/269
You've created a valid escalation!
To remove the escalation from consideration: Delete your comment.
You may delete or edit your escalation comment anytime before the 48-hour escalation window closes. After that, the escalation becomes final.
Agree with the escalation, planning to accept and duplicate with #269
Result: High Duplicate of #269
ComposableSecurity
medium
The
_refundExcess
function does not work as wholemsg.value
is forwarder toFeeManager
Summary
The
_refundExcess
function does not work, because the entiremsg.value
is forwarder to theFeeManager
and there is never any Ether left on theEdition
contract to be refunded.Vulnerability Detail
The contract assumes the return of excess funds after collecting the appropriate fee. This is done by the
_refundExcess
function located in theEdition
contract:https://github.com/sherlock-audit/2024-04-titles/blob/d7f60952df22da00b772db5d3a8272a988546089/wallflower-contract-v2/src/editions/Edition.sol#L510-L517
This function refers to the balance of the
Edition
contract, but the entiremsg.value
is passed toFeeManager
, so it is not possible for it to return the excess funds sent.Not all users calculate the exact values when they are sending
msg.value
. Especially in batch transactions and when they are doing that through other contracts. As there exists the_refundExcess
function it is assumed that the protocol want to protect users who do not send the exact values inmsg.value
.POC results
POC file
Impact
Loss of the excessive Ether sent to the
Edition
contract.Code Snippet
https://github.com/sherlock-audit/2024-04-titles/blob/d7f60952df22da00b772db5d3a8272a988546089/wallflower-contract-v2/src/editions/Edition.sol#L510-L517
https://github.com/sherlock-audit/2024-04-titles/blob/d7f60952df22da00b772db5d3a8272a988546089/wallflower-contract-v2/src/editions/Edition.sol#L241 https://github.com/sherlock-audit/2024-04-titles/blob/d7f60952df22da00b772db5d3a8272a988546089/wallflower-contract-v2/src/editions/Edition.sol#L267 https://github.com/sherlock-audit/2024-04-titles/blob/d7f60952df22da00b772db5d3a8272a988546089/wallflower-contract-v2/src/editions/Edition.sol#L296 https://github.com/sherlock-audit/2024-04-titles/blob/d7f60952df22da00b772db5d3a8272a988546089/wallflower-contract-v2/src/editions/Edition.sol#L319
Tool used
Manual Review
Recommendation
Move
_refundExcess()
function to theFeeManager
contract and use it onpayer_
or do not send the entiremsg.value
, forward just calculated (e.g. throughgetMintFee
) fees and return the rest to the user.Duplicate of #269