Missing Refund Logic in forgeWithListed May Result in Fund Loss #980
Labels
bug
Something isn't working
downgraded by judge
Judge downgraded the risk level of this issue
duplicate-218
edited-by-warden
grade-c
QA (Quality Assurance)
Assets are not at risk. State handling, function incorrect as to spec, issues with clarity, syntax
🤖_54_group
AI based duplicate group recommendation
sufficient quality report
This report is of sufficient quality
unsatisfactory
does not satisfy C4 submission criteria; not eligible for awards
Lines of code
https://github.com/code-423n4/2024-07-traitforge/blob/main/contracts/EntityForging/EntityForging.sol#L126
Vulnerability details
Impact
In the
EntityForging.forgeWithListed()
function, there is no proper refund logic to handle cases where the amount of ETH sent exceeds the required forging fee. This oversight leads to any excess ETH being stuck in the contract indefinitely, resulting in potential financial loss for users who accidentally overpay.Proof of Concept
To demonstrate this issue, the following Hardhat test case shows how excess ETH sent to the contract during a forging operation remains trapped:
Test Output
In the test,
user1
callsforgeWithListed()
withmsg.value = FORGING_FEE + 1 ETH
, sending 1 ETH more than required. As a result, the user ends up spendingFORGING_FEE + gas fee + 1 ETH
, with the excess 1 ETH remaining stuck in the contract:Tools Used
Recommended Mitigation Steps
To address this issue, consider the following mitigation strategies:
Strict Fee Matching:
Modify the
require
statement in theforgeWithListed()
function to ensure thatmsg.value
is exactly equal to the forging fee:Refund Excess Amount:
Implement a refund mechanism that automatically returns any excess ETH sent to
msg.sender
. This can be done by subtracting the forging fee frommsg.value
and transferring the difference back to the user:By implementing one of these changes, you can ensure that users are not overcharged and that excess funds do not remain locked in the contract.
Assessed type
Payable
The text was updated successfully, but these errors were encountered: