Tadle

Github

• https://github.com/Cyfrin/2024-08-tadle/blob/04fd8634701697184a3f3a5558b41c109866e5f8/src/core/TokenManager.sol#L56

Summary

The tillIn function in the TokenManager contract fails to refund excess Ether when a user sends more Ether than the specified _amount. This can lead to unintended financial loss for users, which is a significant usability issue and may damage trust in the contract's operations.

Vulnerability Details

The tillIn function checks if the msg.value is less than the _amount required. If true, it reverts the transaction. However, there is no logic to handle cases where msg.value exceeds _amount. The excess Ether is not refunded, leading to a potential loss for the user. If a user accidentally sends more Ether than required, the excess Ether is not refunded, resulting in a loss for the user.

For example, if _amount is 1 ETH and msg.value is 2 ETH, the contract will keep the extra 1 ETH without refunding it. Users might unintentionally lose funds if they overpay due to mistakes or misunderstandings, which could damage trust in the contract.

Impact

This issue is significant because it can lead to unintentional financial loss for users. While it may not be a critical security vulnerability, it is a serious usability issue that could cause frustration and loss of trust in the contract's operations.

Tools Used

Manual Review

Recommendations

Refund excess Ether to the users, this ensures that users do not lose funds due to accidental overpayment.