Excess ETH received in `buyOrder` function has no withdrawal mechanism, leading to permanent loss of funds
Summary
Excess ETH sent during the buyOrder function is not refunded to the buyer, leading to permanent loss of funds.
Vulnerability Details
In the buyOrder function, the contract checks if the msg.value is greater than or equal to the required amount (order.price + sellerFee). However, if the buyer sends more ETH than required, the excess ETH remains stuck in the contract. There is no mechanism to refund the excess ETH to the buyer.
Impact
Users who send more ETH than necessary will lose their funds permanently or ETH sent accidentally (e.g., via selfdestruct or a direct transfer) cannot be recovered.
This can lead to significant financial losses, especially for high-value transactions.
The contract will accumulate unnecessary ETH over time, which could be exploited or cause operational issues.
Tools Used
Manual code review.
Recommendations
-
Calculate the excess ETH (
msg.value - totalRequired) and refund it to the buyer usingtransferorcall.if (msg.value > order.price + sellerFee) {uint256 excess = msg.value - (order.price + sellerFee);payable(msg.sender).call{value: excess}("");} -
Ensure the contract only accepts the exact amount of ETH required for the transaction, or explicitly handle excess ETH.
-
Add a function to allow the owner to withdraw any accidentally locked ETH, ensuring transparency and control over the contract's balance.
function withdraw() external onlyOwner {payable(owner).call{value: address(this).balance}("");}
Lead Judging Commences
Token misshandling
The extra eth sent by the user in the buy order will be locked in the contract forever
Rewards breakdown
Live
The contest is live. Earn rewards by submitting a finding.
Appeals
This is your time to appeal against judgements on your submissions.
Appeals Review
Appeals are being carefully reviewed by our judges.