code-423n4/2024-08-phi-validation

Missing Refund on Excessive Ether Sent in Claim Functions

c4-bot-2 opened this issue · 1 comments

c4-bot-2 commented

Lines of code

https://github.com/code-423n4/2024-08-phi/blob/8c0985f7a10b231f916a51af5d506dd6b0c54120/src/abstract/Claimable.sol#L22
https://github.com/code-423n4/2024-08-phi/blob/8c0985f7a10b231f916a51af5d506dd6b0c54120/src/abstract/Claimable.sol#L47

Vulnerability details

Summary

The Claimable contract provides two external functions, signatureClaim and merkleClaim, that process claims. Both functions allow the sender to send Ether along with the claim transaction.

The contract does not refund excess Ether sent with the transaction. If a user sends more Ether than required, the surplus amount remains in the contract, which could be exploited or lead to user losses.

Impact

Users may unintentionally lose Ether if they overpay. Since the contract does not refund the excess amount, it could accumulate significant funds unintentionally, especially if the contract is widely used. This behavior might also violate user expectations, leading to dissatisfaction or distrust.

Recommendation

Implement a refund mechanism in the signatureClaim and merkleClaim functions. After performing the necessary operations, the contract should calculate the difference between msg.value and the required Ether amount. If there is any excess, it should be refunded to the sender.

uint256 requiredValue = /* calculate required Ether amount */;
if (msg.value > requiredValue) {
    payable(msg.sender).transfer(msg.value - requiredValue);
}

Assessed type

ETH-Transfer

c4-bot-1 commented

Withdrawn by cheatc0d3