there is no way to calculate the starknet fee and no way to refund excess eth sent
Summary
there is no way to calculate the starknet fee and no way to refund excess eth sent
Vulnerability Details
when sending a message to L2 we must also send along some eth to the transaction in order to pay for the bridging fee on starknet. Because there isnt a way to calculate this fee on the contract, a user migh do 1 of 2 things:
Send not enough eth to bridge
Send too much eth to the bridge
In the first case the tx will simply revert and the user will lose gas funds.
In the second case the user will send to much eth and will not be refunded the excess fee
Impact
Loss of excess eth because the contract does not refund excess eth to the user.
Tools Used
manual reveiw
Recommendations
add a way to calculate the bridging fee and refund the excess fee that is not used to the user.
Lead Judging Commences
Informational / Gas
Please, do not suppose impacts, think about the real impact of the bug and check the CodeHawks documentation to confirm: https://docs.codehawks.com/hawks-auditors/how-to-determine-a-finding-validity A PoC always helps to understand the real impact possible.
Prize pool breakdown
Live
The contest is live. Earn rewards by submitting a finding.
Appeals
This is your time to appeal against judgements on your submissions.
Appeals Review
Appeals are being carefully reviewed by our judges.