Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Potential Loss of User Funds Due to Lack of Overpayment Refund in Individual Claim Functions #122

Closed
howlbot-integration bot opened this issue Sep 6, 2024 · 3 comments
Closed

Potential Loss of User Funds Due to Lack of Overpayment Refund in Individual Claim Functions #122

howlbot-integration bot opened this issue Sep 6, 2024 · 3 comments
Labels
2 (Med Risk) Assets not at direct risk, but function/availability of the protocol could be impacted or leak value bug Something isn't working duplicate-109 🤖_04_group AI based duplicate group recommendation satisfactory satisfies C4 submission criteria; eligible for awards sufficient quality report This report is of sufficient quality

Comments

@howlbot-integration
Copy link

Lines of code

https://github.com/code-423n4/2024-08-phi/blob/8c0985f7a10b231f916a51af5d506dd6b0c54120/src/PhiFactory.sol#L300

Vulnerability details

Impact

The individual claim functions (claim and its internal calls to signatureClaim and merkleClaim) in the PhiFactory contract do not properly handle overpayments, potentially leading to users losing excess ETH. When users send more ETH than the required mint fee, the excess amount remains trapped in the contract without a mechanism for refund. This issue could result in cumulative loss of funds for users who consistently overpay slightly.
In contrast, the batchClaim function does accurately refund excess fees, creating an inconsistency in the contract's behavior.

Proof of Concept

In the claim function, only the exact mintFee is passed to internal claim functions:

uint256 mintFee = getArtMintFee(artId, quantity_);
this.signatureClaim{ value: mintFee }(signature_, claimData, mintArgs);

The signatureClaim function receives only this exact mintFee:

function signatureClaim(
    bytes calldata signature_,
    bytes calldata encodeData_,
    MintArgs calldata mintArgs_
)
    external
    payable
    whenNotPaused
{
    // ...
    _processClaim(artId_, minter_, ref_, verifier_, mintArgs_.quantity, data_, mintArgs_.imageURI, msg.value);
    // ...
}

The _processClaim function's refund mechanism never triggers for individual claims:

uint256 mintFee = getArtMintFee(artId_, quantity_);
if ((etherValue_ - mintFee) > 0) {
    _msgSender().safeTransferETH(etherValue_ - mintFee);
}

In contrast, the batchClaim function correctly handles overpayments by passing individual ETH values and also checking it matches msg.value

if (msg.value != totalEthValue) revert InvalidEthValue();

Tools Used

Manual Review

Recommended Mitigation Steps

Modify the claim function to pass the full msg.value to internal claim functions:

Assessed type

Token-Transfer
@howlbot-integration howlbot-integration bot added 2 (Med Risk) Assets not at direct risk, but function/availability of the protocol could be impacted or leak value 🤖_04_group AI based duplicate group recommendation bug Something isn't working duplicate-11 sufficient quality report This report is of sufficient quality labels Sep 6, 2024
howlbot-integration bot added a commit that referenced this issue Sep 6, 2024
@howlbot-integration
0xNirix issue #122
9614a30
@c4-judge
Copy link
Contributor

fatherGoose1 marked the issue as satisfactory

@c4-judge c4-judge added the satisfactory satisfies C4 submission criteria; eligible for awards label Sep 12, 2024
@c4-judge
Copy link
Contributor

fatherGoose1 marked the issue as not a duplicate

@c4-judge c4-judge reopened this Sep 23, 2024
@c4-judge
Copy link
Contributor

fatherGoose1 marked the issue as duplicate of #109

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees
No one assigned
Labels
2 (Med Risk) Assets not at direct risk, but function/availability of the protocol could be impacted or leak value bug Something isn't working duplicate-109 🤖_04_group AI based duplicate group recommendation satisfactory satisfies C4 submission criteria; eligible for awards sufficient quality report This report is of sufficient quality
Projects
None yet
Milestone
No milestone
Development

No branches or pull requests
1 participant
@c4-judge