The function _refundExcess in Edition.sol is not checking balance against a user, but only checking the contract total balance and if that is greater than zero, the contract eth will all be transferred to unauthorize user.
Vulnerability Detail
_refundExcess() function is editions.sol contract is being called in several functions , which may allow any user to receive all of the contract balance because of no check on the contract balances for each user.
Impact
currently the impact of this vulnerability is low because the funds are not being returned back to editions.sol contract and also there is no method to receive eth in editions.sol contract. However if in future if funds that were excess return by the same method, impact will be high as a single user can get excess funds of others users as well.
Maintain the eth balance of each user and return only associated balance instead of the whole contract balamce . Another solution is to deduct only that msg.value equivalent to whats required by the protocol
User can drain the native coin
Low/Info issue submitted by 0x77
Summary
The function _refundExcess in Edition.sol is not checking balance against a user, but only checking the contract total balance and if that is greater than zero, the contract eth will all be transferred to unauthorize user.
Vulnerability Detail
_refundExcess() function is editions.sol contract is being called in several functions , which may allow any user to receive all of the contract balance because of no check on the contract balances for each user.
Impact
currently the impact of this vulnerability is low because the funds are not being returned back to editions.sol contract and also there is no method to receive eth in editions.sol contract. However if in future if funds that were excess return by the same method, impact will be high as a single user can get excess funds of others users as well.
Code Snippet
https://github.com/sherlock-audit/2024-04-titles/blob/main/wallflower-contract-v2/src/editions/Edition.sol#L512
Tool used
Manual Review
Recommendation
Maintain the eth balance of each user and return only associated balance instead of the whole contract balamce . Another solution is to deduct only that msg.value equivalent to whats required by the protocol