First Flight #13: Baba Marta
First Flight #13
Beginner FriendlyFoundryGameFi
100 EXP
View results
Previous Next
Submission Details
Severity: high
Valid

If a user buys a `MartenitsaToken` with msg.value > listing.price then the extra ether is permanently stuck in the contract

codexbugmenot

Summary

In MartenitsaMarketplace::buyMartenitsa function if the msg.value > listing.price i.e user sends more ether than the listing price then the extra ether is permanently stuck in the contract since it has now way to withdraw ether.

Impact

Extra Funds which the users may send while buying MartenitsaToken are permanently stuck in the contract.

Proof of Concept

let listing.price = 2 ether

  1. User calls MartenitsaMarketplace::buyMartenitsa with msg.value = 10 ether

  2. The extra 8 ether is permanently stuck in the MartenitsaMarketplace contract with no way to withdraw or recover it.

Recommendations

There are two possible mitigations for this issue

  1. Making the changes in the MartenitsaMarketplace::buyMartenitsa function accordingly

- require(msg.value >= listing.price, "Insufficient funds");
+ require(msg.value == listing.price, "Insufficient funds");

which sends only required ether to the contract which makes the contract hold no extra ether.

  1. Alternatively, consider Adding a MartenitsaMarketplacewithdraw function where the contract owner and other users can withdraw their funds also make sure that the new function follows the CEI(Checks-effects-Interactions) pattern and has necessary guards in place like OpenZeppelinReentrancyGuard

Updates

Lead Judging Commences

bube Lead Judge over 1 year ago
Submission Judgement Published
Validated
Assigned finding tags:

Excess ETH not refunded to the user

Support

FAQs

Can't find an answer? Chat with us on Discord, Twitter or Linkedin.