Beginner FriendlyFoundryGameFi
100 EXP
View results
Submission Details
Severity: high
Valid

Refund dust ether to user in MartenitsaMarketplace::buyMartenitsa()

Summary

Users call buyMartenitsa() to buy Martenitsa via ether. If msg.value is larger than actual price, left dust ether needs to be refunded to the user.

Vulnerability Details

In MartenitsaMarketplace::buyMartenitsa(), users can buy buyMartenitsa via paying related ether. Function checks msg.value need to be larger or equal to buyMartenitsa. When user's msg.value is a little bit larger than price, there will be some dust ether. There ether should be refunded to the user.

Poc

function testBuyRefund() public listMartenitsa {
vm.prank(chasy);
martenitsaToken.approve(address(marketplace), 0);
address alice = makeAddr("Alice");
vm.deal(alice, 1 ether);
vm.startPrank(alice);
console.log(alice.balance);
marketplace.buyMartenitsa{value: 1 ether}(0);
console.log(alice.balance);
}

The result logs shows as below:

Logs:
1000000000000000000
0

Impact

User's dust ether will be left in the smart contract and locked in the smart contract. Because there is not any withdraw function.

Tools Used

Manual & Foundry

Recommendations

Refund the left dust ether to the buyer if there is any.

diff --git a/src/MartenitsaMarketplace.sol b/src/MartenitsaMarketplace.sol
index bba0099..87637ae 100644
--- a/src/MartenitsaMarketplace.sol
+++ b/src/MartenitsaMarketplace.sol
@@ -77,9 +77,15 @@ contract MartenitsaMarketplace is Ownable {
// Transfer funds to seller
(bool sent, ) = seller.call{value: salePrice}("");
require(sent, "Failed to send Ether");
// Transfer the token to the buyer
martenitsaToken.safeTransferFrom(seller, buyer, tokenId);
+ //refund dust ether to the buyer
+ if (msg.value > salePrice) {
+ (bool send, ) = buyer.call{value: msg.value - salePrice}("");
+ require(send, "Fail to send Ether");
+ }
+
}
Updates

Lead Judging Commences

bube Lead Judge about 1 year ago
Submission Judgement Published
Validated
Assigned finding tags:

Excess ETH not refunded to the user

Support

FAQs

Can't find an answer? Chat with us on Discord, Twitter or Linkedin.