-
Notifications
You must be signed in to change notification settings - Fork 0
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
ETH will get stuck/locked in the EntityForging contract #111
Labels
bug
Something isn't working
downgraded by judge
Judge downgraded the risk level of this issue
duplicate-218
grade-c
QA (Quality Assurance)
Assets are not at risk. State handling, function incorrect as to spec, issues with clarity, syntax
🤖_54_group
AI based duplicate group recommendation
sufficient quality report
This report is of sufficient quality
unsatisfactory
does not satisfy C4 submission criteria; not eligible for awards
Comments
c4-bot-10
added
2 (Med Risk)
Assets not at direct risk, but function/availability of the protocol could be impacted or leak value
bug
Something isn't working
labels
Aug 5, 2024
howlbot-integration
bot
added
sufficient quality report
This report is of sufficient quality
duplicate-218
labels
Aug 9, 2024
koolexcrypto changed the severity to QA (Quality Assurance) |
c4-judge
added
downgraded by judge
Judge downgraded the risk level of this issue
QA (Quality Assurance)
Assets are not at risk. State handling, function incorrect as to spec, issues with clarity, syntax
and removed
2 (Med Risk)
Assets not at direct risk, but function/availability of the protocol could be impacted or leak value
labels
Aug 18, 2024
koolexcrypto marked the issue as grade-c |
c4-judge
added
grade-c
unsatisfactory
does not satisfy C4 submission criteria; not eligible for awards
labels
Aug 20, 2024
This previously downgraded issue has been upgraded by koolexcrypto |
c4-judge
added
2 (Med Risk)
Assets not at direct risk, but function/availability of the protocol could be impacted or leak value
and removed
downgraded by judge
Judge downgraded the risk level of this issue
QA (Quality Assurance)
Assets are not at risk. State handling, function incorrect as to spec, issues with clarity, syntax
labels
Aug 31, 2024
koolexcrypto marked the issue as duplicate of #687 |
koolexcrypto marked the issue as duplicate of #218 |
koolexcrypto changed the severity to QA (Quality Assurance) |
c4-judge
added
downgraded by judge
Judge downgraded the risk level of this issue
QA (Quality Assurance)
Assets are not at risk. State handling, function incorrect as to spec, issues with clarity, syntax
and removed
2 (Med Risk)
Assets not at direct risk, but function/availability of the protocol could be impacted or leak value
labels
Sep 6, 2024
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
Labels
bug
Something isn't working
downgraded by judge
Judge downgraded the risk level of this issue
duplicate-218
grade-c
QA (Quality Assurance)
Assets are not at risk. State handling, function incorrect as to spec, issues with clarity, syntax
🤖_54_group
AI based duplicate group recommendation
sufficient quality report
This report is of sufficient quality
unsatisfactory
does not satisfy C4 submission criteria; not eligible for awards
Lines of code
https://github.com/code-423n4/2024-07-traitforge/blob/main/contracts/EntityForging/EntityForging.sol#L102
Vulnerability details
Vulnerability Details
In the
EntityForging
contract, theforgeWithListed
ispayable
since the caller has to send the native token to pay for the forging fee. However, there is only a check that themsg.value
is greater or equal than the requiredfee
. In case a user sends moremsg.value
than needed, there is no refund mechanism or even a way to get the native token out of the contract. This is inconsistent with the rest of the protocol'spayable
functions, which either have a refund mechanism or only check that themsg.value
is equal to the required amount.Impact
Users' excess
ETH
will remain locked and lost in theEntityForging
contract without a way for anyone to get it out.Proof of Concept
I'm providing my full foundry test file:
Tools Used
Manual review
Recommended Mitigation Steps
TraitForgeNft::mintToken
function.msg.value
Assessed type
Other
The text was updated successfully, but these errors were encountered: