Submission Details
Severity:
[H-4] Missing balance validation in refund function
Summary
The refund() function lacks proper balance validation, potentially allowing users to withdraw more tokens than they deposited.
Vulnerability Details
The _refundERC20() function transfers tokens without validating against actual deposits:
function _refundERC20(address _to) internal {
i_WETH.safeTransfer(_to, balances[_to][address(i_WETH)]);
i_WBTC.safeTransfer(_to, balances[_to][address(i_WBTC)]);
i_USDC.safeTransfer(_to, balances[_to][address(i_USDC)]);
balances[_to][address(i_USDC)] = 0;
balances[_to][address(i_WBTC)] = 0;
balances[_to][address(i_WETH)] = 0;
}
Impact
High: Potential theft of tokens through balance manipulation
Inconsistent state between balances and actual deposits
Could drain other users' deposits
Tools Used
Foundry for testing
Manual code review
Test demonstrating missing validation:
function test_refundValidation() public {
vm.startPrank(user1);
weth.mint(user1, 1 ether);
weth.approve(address(dinner), 1 ether);
dinner.deposit(address(weth), 1 ether);
// TODO: Show balance manipulation
dinner.refund();
vm.stopPrank();
}
Recommendations
Add balance validation in refund:
function _refundERC20(address _to) internal {
uint256 wethBalance = balances[_to][address(i_WETH)];
require(wethBalance <= i_WETH.balanceOf(address(this)), "Invalid balance");
i_WETH.safeTransfer(_to, wethBalance);
balances[_to][address(i_WETH)] = 0;
// Similar checks for other tokens
}
Rewards breakdown
nSLOC
129This contest has a flat reward structure with the following payouts:
100 EXP
20 EXP
2 EXP
Live
The contest is live. Earn rewards by submitting a finding.
Appeals
This is your time to appeal against judgements on your submissions.
Appeals Review
Appeals are being carefully reviewed by our judges.