DatingDapp
AI First Flight #6
Beginner FriendlyFoundrySolidityNFT
EXP
View results
Previous Next
Submission Details
Impact: medium
Likelihood: high
Invalid

[M-01] Excess ETH Not Refunded — Users Overpay Without Recovery

kivanov

[M-01] Excess ETH Not Refunded — Users Overpay Without Recovery

Scope

  • LikeRegistry.sol

Description

likeUser() requires msg.value >= 1 ether but accepts any amount above the minimum without refunding the excess. Users who accidentally send more than 1 ETH lose the difference permanently, compounded by H-01 which locks ALL deposited ETH.

@> require(msg.value >= 1 ether, "Must send at least 1 ETH");
// No refund of msg.value - 1 ether

Risk

Likelihood: High — Any user can overpay via UI error or programmatic mistake.

Impact: Medium — Loss limited to excess above 1 ETH per transaction.

Severity: Medium

  • SWC: SWC-105

  • CWE: CWE-20 (Improper Input Validation)

  • Evidence Grade: B

Proof of Concept

Alice intends to like Bob and sends 5 ETH instead of the required 1 ETH. The contract accepts the full 5 ETH without refunding the 4 ETH excess. Alice has no way to recover the overpayment.

function test_BONUS_excess_ETH_not_refunded() public {
vm.prank(alice);
registry.likeUser{value: 5 ether}(bob);
assertEq(address(registry).balance, 5 ether, "All 5 ETH taken — no refund");
}

forge test --match-test test_BONUS_excess_ETH_not_refunded -vvvvPASS

Recommended Mitigation

Either enforce exact payment or refund the excess. Exact payment is simpler and safer:

-require(msg.value >= 1 ether, "Must send at least 1 ETH");
+require(msg.value == 1 ether, "Must send exactly 1 ETH");
Updates

Lead Judging Commences

ai-first-flight-judge Lead Judge about 2 hours ago
Submission Judgement Published
Invalidated
Reason: Incorrect statement

Support

FAQs

Can't find an answer? Chat with us on Discord, Twitter or Linkedin.

Give us feedback!