First Flight #13: Baba Marta
First Flight #13
Beginner FriendlyFoundryGameFi
100 EXP
View results
Previous Next
Submission Details
Severity: high
Valid

Lost ether

kostov

Summary

Ether will be stuck in the contract if a user sends more in `MartentisaMarketPlace::buyMartenitsa"

Vulnerability Details

The contract checks if msg.value >= listing.price, and later sends listing.price ether to the seller.
Bob wants to buy MartenitsaToken.sol with listing.price 10 ether, however, he sends 11 ether as msg.value to buyMartenitsa.
The listing.price is 10 ether, so 10 ether will be send to the seller, but, the one extra ether won't be returned to Bob, neither there is any way to be used by the contract, so it will stay stuck in the contract.

function buyMartenitsa(uint256 tokenId) external payable {
Listing memory listing = tokenIdToListing[tokenId];
require(listing.forSale, "Token is not listed for sale");
require(msg.value >= listing.price, "Insufficient funds");
address seller = listing.seller;
address buyer = msg.sender;
uint256 salePrice = listing.price;
martenitsaToken.updateCountMartenitsaTokensOwner(buyer, "add");
martenitsaToken.updateCountMartenitsaTokensOwner(seller, "sub");
// Clear the listing
delete tokenIdToListing[tokenId];
emit MartenitsaSold(tokenId, buyer, salePrice);
// Transfer funds to seller
(bool sent,) = seller.call{value: salePrice}("");
require(sent, "Failed to send Ether");
// Transfer the token to the buyer
martenitsaToken.safeTransferFrom(seller, buyer, tokenId);
}

Impact

Ether will be stuck in the contract.

Tools Used

Manual review

Recommendations

Return the extra ether back to the user.

Updates

Lead Judging Commences

bube Lead Judge over 1 year ago
Submission Judgement Published
Validated
Assigned finding tags:

Excess ETH not refunded to the user

Support

FAQs

Can't find an answer? Chat with us on Discord, Twitter or Linkedin.