Trick or Treat
First Flight #27
Beginner FriendlyFoundry
100 EXP
View results
Previous Next
Submission Details
Severity: medium
Invalid

Refund Processing Vulnerability in `trickOrTreat` Function

bbash

Summary

The trickOrTreat function in the SpookySwap contract uses msg.sender.call to refund excess ETH sent by users when the payment exceeds the required cost. This mechanism can fail if the recipient does not support ETH transfers, potentially leaving users without refunds.

Vulnerability Details

The function checks if the msg.value is greater than the requiredCost and attempts to refund the excess amount using: https://github.com/Cyfrin/2024-10-trick-or-treat/blob/main/src/TrickOrTreat.sol#L100-L103

if (msg.value > requiredCost) {
uint256 refund = msg.value - requiredCost;
(bool refundSuccess,) = msg.sender.call{value: refund}("");
require(refundSuccess, "Refund failed");

If the recipient is a contract without a receive function, the call will fail, and the user will not receive their refund. This can lead to poor user experience and potential loss of funds.

Impact

This vulnerability could result in users losing ETH if they are not able to receive refunds, especially if they are interacting with contracts that do not have proper fallback functions implemented. It undermines the reliability of the contract and could lead to user dissatisfaction.

Tools Used

Manual Review

Recommendations

Allow users to manually withdraw their pending refunds.

function withdrawRefund() external {
uint256 refundAmount = pendingRefunds[msg.sender];
require(refundAmount > 0, "No refund available");
pendingRefunds[msg.sender] = 0;
(bool success,) = msg.sender.call{value: refundAmount}("");
require(success, "Withdraw failed");
}
Updates

Appeal created

bube Lead Judge 10 months ago
Submission Judgement Published
Invalidated
Reason: Non-acceptable severity

Support

FAQs

Can't find an answer? Chat with us on Discord, Twitter or Linkedin.