Project

Summary

Including msg.value in the NativeMetaTransaction call can lead to unintended Ether transfers, deviating from standard practices and potentially causing transaction failures.

check out similar implementations :

https://github.com/maticnetwork/pos-portal/blob/5fbd35ba9cdc8a07bf32d81d6d1f4ce745feabd6/contracts/common/NativeMetaTransaction.sol#L30

https://github.com/maticnetwork/pos-portal/blob/5fbd35ba9cdc8a07bf32d81d6d1f4ce745feabd6/contracts/common/NativeMetaTransaction.sol#L67

https://github.com/ProjectOpenSea/meta-transactions/blob/1884921c5fec1f5207e095fdbe61af185879e15d/contracts/ERC721MetaTransactionMaticSample.sol#L174

Vulnerability Details

In the `NativeMetaTransaction` contract and in executeMetaTransaction() function, the following line of code includes msg.value in the call to address(this).call:

This inclusion means that any Ether sent with the transaction is forwarded to the contract. If the function being called is not payable or not intended to handle Ether, this can lead to transaction failures or unintended Ether transfers. Additionally, it places the burden of managing Ether on the relayer, which is not typical for meta-transactions.

Impact

• If the target function is not payable, including msg.value can cause the transaction to revert, leading to failed operations and a poor user experience.

• Relayers are required to manage both gas fees and Ether transfers, which can complicate their role and increase operational costs.

Tools Used

Manual review

Recommendations

remove msg.value while calling the address ,refer the below similar implementations

https://github.com/maticnetwork/pos-portal/blob/5fbd35ba9cdc8a07bf32d81d6d1f4ce745feabd6/contracts/common/NativeMetaTransaction.sol#L67