Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

claim function: Excess ether did not return to the user #3

Closed
c4-bot-9 opened this issue Aug 27, 2024 · 3 comments
Closed

claim function: Excess ether did not return to the user #3

c4-bot-9 opened this issue Aug 27, 2024 · 3 comments
Labels
2 (Med Risk) Assets not at direct risk, but function/availability of the protocol could be impacted or leak value bug Something isn't working duplicate-109 🤖_04_group AI based duplicate group recommendation satisfactory satisfies C4 submission criteria; eligible for awards sufficient quality report This report is of sufficient quality

Comments

@c4-bot-9
Copy link
Contributor

Lines of code

https://github.com/code-423n4/2024-08-phi/blob/main/src/PhiFactory.sol#L264-L304

Vulnerability details

Impact

The claim function in PhiFactory contract is used to claim an art reward. The mint fee is calculated by the getArtMintFee function and will be sent to merkleClaim or signatureClaim:

 uint256 mintFee = getArtMintFee(artId, quantity_);
 this.merkleClaim{ value: mintFee }(proof, claimData, mintArgs, leafPart_);
uint256 mintFee = getArtMintFee(artId, quantity_);
this.signatureClaim{ value: mintFee }(signature_, claimData, mintArgs);

Users are likely to send more ether than the actual fee in order to ensure that they can claim the art. However, the claim function did not return the excess ether, which would cause asset loss to the user.

Proof of Concept

https://github.com/code-423n4/2024-08-phi/blob/main/src/PhiFactory.sol#L264-L304

Tools Used

Manual Review

Recommended Mitigation Steps

Consider following fix:

uint256 mintFee = getArtMintFee(artId, quantity_);
this.merkleClaim{ value: mintFee }(proof, claimData, mintArgs, leafPart_);
if (msg.value > mintFee){
     _msgSender().safeTransferETH(msg.value - mintFee);
}
uint256 mintFee = getArtMintFee(artId, quantity_);
this.signatureClaim{ value: mintFee }(signature_, claimData, mintArgs);
if (msg.value > mintFee){
    _msgSender().safeTransferETH(msg.value - mintFee);
}

Assessed type

ETH-Transfer
@c4-bot-9 c4-bot-9 added 2 (Med Risk) Assets not at direct risk, but function/availability of the protocol could be impacted or leak value bug Something isn't working labels Aug 27, 2024
c4-bot-2 added a commit that referenced this issue Aug 27, 2024
@c4-bot-2
biakia issue #3
f2ca071
@c4-bot-13 c4-bot-13 added the 🤖_04_group AI based duplicate group recommendation label Sep 3, 2024
@howlbot-integration howlbot-integration bot added sufficient quality report This report is of sufficient quality duplicate-11 labels Sep 6, 2024
@c4-judge c4-judge added the satisfactory satisfies C4 submission criteria; eligible for awards label Sep 9, 2024
@c4-judge
Copy link
Contributor

c4-judge commented Sep 9, 2024

fatherGoose1 marked the issue as satisfactory

@c4-judge
Copy link
Contributor

fatherGoose1 marked the issue as not a duplicate

@c4-judge c4-judge reopened this Sep 23, 2024
@c4-judge
Copy link
Contributor

fatherGoose1 marked the issue as duplicate of #109

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees
No one assigned
Labels
2 (Med Risk) Assets not at direct risk, but function/availability of the protocol could be impacted or leak value bug Something isn't working duplicate-109 🤖_04_group AI based duplicate group recommendation satisfactory satisfies C4 submission criteria; eligible for awards sufficient quality report This report is of sufficient quality
Projects
None yet
Milestone
No milestone
Development

No branches or pull requests
3 participants
@c4-judge @c4-bot-9 @c4-bot-13