Platform: Code4rena
Start Date: 07/04/2023
Pot Size: $47,000 USDC
Total HM: 20
Participants: 120
Period: 6 days
Judge: GalloDaSballo
Total Solo HM: 4
Id: 230
League: ETH
Rank: 69/120
Findings: 1
Award: $34.04
🌟 Selected for report: 0
🚀 Solo Findings: 0
34.044 USDC - $34.04
The function change() takes as a parameter an array Change[] calldata changes.
For each element of the input array, the change method of the PrivatePool contract is called, and ETH with a value of msg.value sent along. If the amount sent is not used up, the pool contract refunds the remainder to the EthRouter.
After the first iteration, the remainder of the funds is held by the EthRouter contract. Because the initial EthRouter balance is 0 and fees have been deducted, the balance of the EthRouter is smaller than msg.value and the second loop iteration will fail with an EVM error (Out of Fund).
State changes are reverted, but user incurs gas costs.
Test file available here (in .txt format, change to .sol to run test cases locally) : https://gateway.pinata.cloud/ipfs/QmQrCaJD36UAr1Xqo2AQfbjGVA9GmG3cUqSdxXmP9FgxQN The tests shows that calling the change() function works fine with an input array of length 1 and fails with an array of input length 2, even if extra ETH is sent along.
Only send the amount needed to pay the fees on each iteration.
#0 - GalloDaSballo
2023-04-28T17:35:57Z
Will double check and consider raising to Med as duplicate
#1 - c4-judge
2023-05-02T07:28:28Z
GalloDaSballo changed the severity to 2 (Med Risk)
#2 - c4-judge
2023-05-02T07:28:28Z
GalloDaSballo changed the severity to 2 (Med Risk)
#3 - c4-judge
2023-05-02T07:28:55Z
GalloDaSballo marked the issue as duplicate of #873