https://github.com/Cyfrin/2024-08-tadle/blob/04fd8634701697184a3f3a5558b41c109866e5f8/src/core/TokenManager.sol#L56
The tillIn
function in the TokenManager
contract fails to refund excess Ether when a user sends more Ether than the specified _amount
. This can lead to unintended financial loss for users, which is a significant usability issue and may damage trust in the contract's operations.
The tillIn
function checks if the msg.value
is less than the _amount
required. If true, it reverts the transaction. However, there is no logic to handle cases where msg.value
exceeds _amount
. The excess Ether is not refunded, leading to a potential loss for the user. If a user accidentally sends more Ether than required, the excess Ether is not refunded, resulting in a loss for the user.
For example, if _amount
is 1 ETH and msg.value
is 2 ETH, the contract will keep the extra 1 ETH without refunding it. Users might unintentionally lose funds if they overpay due to mistakes or misunderstandings, which could damage trust in the contract.
This issue is significant because it can lead to unintentional financial loss for users. While it may not be a critical security vulnerability, it is a serious usability issue that could cause frustration and loss of trust in the contract's operations.
Manual Review
Refund excess Ether to the users, this ensures that users do not lose funds due to accidental overpayment.
Invalid, these are by default, invalid based on codehawks [general guidelines](https://docs.codehawks.com/hawks-auditors/how-to-determine-a-finding-validity#findings-that-may-be-invalid). The check implemented is simply a sufficiency check, it is users responsibility to only send an appropriate amount of native tokens where amount == msg.value when native token is intended to be used as collateral (which will subsequently be deposited as wrapped token). All excess ETH can be rescued using the `Rescuable.sol` contract. > Users sending ETH/native tokens > If contracts allow users to send tokens acc111identally.
The contest is live. Earn rewards by submitting a finding.
This is your time to appeal against judgements on your submissions.
Appeals are being carefully reviewed by our judges.