Submission Details
Severity:
`msg.value` sent by user is lost
Summary
createTradingAccountAndMulticall function is payable. It does not sent received msg.value nor refund it to the sender.
Root Cause
function createTradingAccountAndMulticall(
bytes[] calldata data,
bytes memory referralCode,
bool isCustomReferralCode
)
external
payable
virtual
returns (bytes[] memory results)
{
uint128 tradingAccountId = createTradingAccount(referralCode, isCustomReferralCode);
results = new bytes[](data.length);
for (uint256 i; i < data.length; i++) {
bytes memory dataWithAccountId = bytes.concat(data[i][0:4], abi.encode(tradingAccountId), data[i][4:]);
(bool success, bytes memory result) = address(this).delegatecall(dataWithAccountId);
if (!success) {
uint256 len = result.length;
assembly {
revert(add(result, 0x20), len)
}
}
results[i] = result;
}
}
Vulnerability details
We can see that the delegate call does not include msg.value in the call.
(bool success, bytes memory result) = address(this).delegatecall(dataWithAccountId);
Impact
The msg.value is stuck in contract.
Recommended Mitigation Steps
Send or refund msg.value to the user in createTradingAccountAndMulticall function.
Updates
Lead Judging Commences
inallhonesty about 1 year ago
Submission Judgement Published Assigned finding tags:
`createTradingAccountAndMulticall` shouldn't be payable
Prize pool breakdown
Total prize
60,000 USDC
nSLOC
2,87821 USDC / LOC
50,000 USDC
5,500 USDC
4,500 USDC
Live
The contest is live. Earn rewards by submitting a finding.
Appeals
This is your time to appeal against judgements on your submissions.
Appeals Review
Appeals are being carefully reviewed by our judges.