Locked funds within the EntityForging.sol
contract due to the forgeWithListed
function not handling the potential extra msg.value
provided.
#501
Labels
bug
Something isn't working
downgraded by judge
Judge downgraded the risk level of this issue
duplicate-218
grade-c
QA (Quality Assurance)
Assets are not at risk. State handling, function incorrect as to spec, issues with clarity, syntax
🤖_54_group
AI based duplicate group recommendation
sufficient quality report
This report is of sufficient quality
unsatisfactory
does not satisfy C4 submission criteria; not eligible for awards
Lines of code
https://github.com/code-423n4/2024-07-traitforge/blob/279b2887e3d38bc219a05d332cbcb0655b2dc644/contracts/EntityForging/EntityForging.sol#L126
Vulnerability details
Impact
User funds remain locked within the
EntityForging.sol
contract without the ability to be withdrawn by the user, any other entity, or the owner of the contract. Users will lose their funds without the possibility of a refund. This occurs because theforgeWithListed
function does not handle the potential additionalmsg.value
that may be provided during the execution of theforgeWithListed
function.Proof of Concept
To illustrate this issue, consider the following scenario:
A forger is listed with ID: 587 for 0.1 ETH, transaction:
https://sepolia.etherscan.io/tx/0x2288f0c78c289468be4b2285409b11759622fc6324a76e8164456a4425172ced
A merger is selected to forge with, ID: 592 for 0.15 ETH, transaction:
https://sepolia.etherscan.io/tx/0x26a20263f7648d393e4a88cc67876317f62fd6f0e0d0e54454e19a4a1100f0cf
0.05 ETH remains transferred and locked in the
EntityForging.sol
contract.Tools Used
Manual review
Recommended Mitigation Steps
Handle the potential extra
msg.value
by implementing logic within theforgeWithListed
function to refund any excess ETH provided during the transaction. This ensures that only the required amount for the forging process is utilized, and any additional funds are returned to the user.Assessed type
ETH-Transfer
The text was updated successfully, but these errors were encountered: