Excess payment in EntityForging::forgeWithListed
will be stuck in contract, leading to loss of players' funds
#127
Labels
bug
Something isn't working
downgraded by judge
Judge downgraded the risk level of this issue
duplicate-218
grade-c
QA (Quality Assurance)
Assets are not at risk. State handling, function incorrect as to spec, issues with clarity, syntax
🤖_54_group
AI based duplicate group recommendation
sufficient quality report
This report is of sufficient quality
unsatisfactory
does not satisfy C4 submission criteria; not eligible for awards
Lines of code
https://github.com/code-423n4/2024-07-traitforge/blob/279b2887e3d38bc219a05d332cbcb0655b2dc644/contracts/EntityForging/EntityForging.sol#L102-L175
Vulnerability details
Impact
In the
EntityForging::forgeWithListed
function, any excess amount ofmsg.value
over the requiredforgingFee
is not refunded and will be stuck in the contract, leading to loss of players' funds. The contract currently only requires thatmsg.value
be greater than or equal to theforgingFee
, but there is no logic to refund any excess amounts sent.Proof of Concept
The aforesaid check in
EntityForging::forgeWithListed
is extracted below:https://github.com/code-423n4/2024-07-traitforge/blob/279b2887e3d38bc219a05d332cbcb0655b2dc644/contracts/EntityForging/EntityForging.sol#L125-L126
There is no logic to refund any excess amounts sent. Note that such a refund logic is present in the mint functions of TraitForgeNft.sol. One example is shown below:
https://github.com/code-423n4/2024-07-traitforge/blob/279b2887e3d38bc219a05d332cbcb0655b2dc644/contracts/TraitForgeNft/TraitForgeNft.sol#L181C3-L200C4
Tools Used
Manual review
Recommended Mitigation Steps
Implement a refund logic in
EntityForging::forgeWithListed
for excess amounts sent, similar to that in the mint functions of TraitForgeNft.solAssessed type
Other
The text was updated successfully, but these errors were encountered: