Submission Details
Severity:
Checking that attached Ether is greater or equal than price in `MartenitsaMarketplace::buyMartenitsa` function can lead to buyer overpaying
Summary
Buyer can overpay because of greater or equal statement and price difference will be forever stuck in the contract.
Vulnerability Details
function buyMartenitsa(uint256 tokenId) external payable {
Listing memory listing = tokenIdToListing[tokenId];
require(listing.forSale, "Token is not listed for sale");
@> require(msg.value >= listing.price, "Insufficient funds");
address seller = listing.seller;
address buyer = msg.sender;
uint256 salePrice = listing.price;
.
.
.
}
Impact
Difference of price and attached Ether when buying will be forever stuck in the contract.
Tools Used
Manual review
Recommendations
Make that attached ether is equal to price.
function buyMartenitsa(uint256 tokenId) external payable {
Listing memory listing = tokenIdToListing[tokenId];
require(listing.forSale, "Token is not listed for sale");
- require(msg.value >= listing.price, "Insufficient funds");
+ require(msg.value == listing.price, "Insufficient funds");
address seller = listing.seller;
address buyer = msg.sender;
uint256 salePrice = listing.price;
.
.
.
}
Updates
Lead Judging Commences
bube over 1 year ago
Submission Judgement Published Assigned finding tags:
Excess ETH not refunded to the user
Rewards breakdown
nSLOC
239This contest has a flat reward structure with the following payouts:
100 EXP
20 EXP
2 EXP
Live
The contest is live. Earn rewards by submitting a finding.
Appeals
This is your time to appeal against judgements on your submissions.
Appeals Review
Appeals are being carefully reviewed by our judges.