Root + Impact

Description

• The share issuance logic should either reject or fully honor a contribution once the requested shares exceed the remaining public cap.

• Instead the code clamps new_shares to the remaining availability but retains the full payment, so investors overpay whenever the cap is nearly exhausted.

Risk

Likelihood:

• Large contributions are common when the company is profitable, and as the cap approaches exhaustion each new depositor has a high chance of requesting more shares than remain.

• Front-ends typically do not query the exact remaining supply prior to sending the transaction, so wallets will broadcast oversized purchases.

Impact:

• Investors receive only a fraction of the shares they believed they purchased while losing the rest of their payment.

• The contract silently accumulates windfall funds that should have been refunded, undermining fair distribution and opening the door to legal complaints.

Proof of Concept

1. Let the share price be 1e15 wei with only one share slot remaining (available = 1).

2. Call fund_investor with 1 ether, expecting roughly 1,000 shares.

3. The contract clamps the mint to a single share but still adds the entire 1 ether to company_balance, pocketing the overpayment.

Recommended Mitigation

• After clamping new_shares, refund the unused portion msg.value - new_shares * share_price back to the caller.

• Alternatively, revert the transaction when new_shares > available so users cannot accidentally overpay.

• Document the remaining capacity via view functions or events so front-ends can prevent users from sending more value than can be converted into shares.