Platform: Code4rena
Start Date: 03/05/2022
Pot Size: $30,000 USDC
Total HM: 6
Participants: 93
Period: 3 days
Judge: gzeon
Id: 118
League: ETH
Rank: 70/93
Findings: 2
Award: $45.73
π Selected for report: 0
π Solo Findings: 0
π Selected for report: defsec
Also found by: 0v3rf10w, 0x1f8b, 0x4non, 0x52, 0xDjango, 0xf15ers, 0xkatana, 0xliumin, AuditsAreUS, BowTiedWardens, CertoraInc, Cr4ckM3, Funen, GimelSec, Hawkeye, IllIllI, Kulk0, M0ndoHEHE, MaratCerby, Picodes, Ruhum, TerrierLover, TrungOre, VAD37, WatchPug, berndartmueller, broccolirob, catchup, cccz, cryptphi, csanuragjain, delfin454000, dirk_y, eccentricexit, ellahi, fatherOfBlocks, gzeon, hake, hansfriese, hickuphh3, horsefacts, hubble, hyh, ilan, joestakey, kebabsec, kenta, kenzo, leastwood, m9800, marximimus, minhquanym, oyc_109, p4st13r4, pauliax, pedroais, peritoflores, plotchy, rajatbeladiya, reassor, rfa, robee, rotcivegaf, samruna, shenwilly, shung, simon135, sorrynotsorry, sseefried, teddav, throttle, tintin, unforgiven, z3s
30.2759 USDC - $30.28
For customized minter contract who does not implement ERC20 withdraw interface, the WETH transferred can be locked forever, in other words, lost.
_safeTransferETHWithFallback is used to refund ETH to the minters. If ETH is rejected, WETH ERC20 transfer will be used. However I suggest that we should not assume that the all the users implement the minter contract properly. An ERC20 receiver is unable to reject the transfer like they do to the ETH transfer, thus, if minter contracts do not implement the ERC20 withdraw method, the transferred tokens are lost. Or they may have their own self-refund logic we have no idea how to cooperate with.
Maybe skipping such refunding cases is a better idea as the minter can find other way to get their fund back, like self-refund or just contact your team to withdraw the ETH for them.
Code review.
Just skip minters who reject ETH, leave them to do their self-refund business.
A sample:
function _refundAddress(address minter) private { uint256 owed = refundOwed(minter); if (owed > 0 && _safeTransferETH(minter, owed)) { daAmountRefunded[minter] += owed; } }
#0 - wagmiwiz
2022-05-05T10:21:08Z
#1 - gzeoneth
2022-06-18T16:31:03Z
It is very unlikely a smart contract wallet don't support ERC20 withdrawal and any custom contract used to mint this nft should be responsible to make sure it is compatible with the refund mechanism. Downgrading to Low / QA.
#2 - gzeoneth
2022-06-18T19:26:35Z
As warden's QA report.
π Selected for report: BowTiedWardens
Also found by: 0v3rf10w, 0x1f8b, 0x4non, 0xDjango, 0xNazgul, 0xProf, 0xc0ffEE, 0xf15ers, 0xkatana, 0xliumin, ACai, AlleyCat, CertoraInc, Cityscape, Cr4ckM3, DavidGialdi, Dinddle, FSchmoede, Funen, GimelSec, Hawkeye, IllIllI, Kulk0, M0ndoHEHE, MaratCerby, MiloTruck, Picodes, RoiEvenHaim, Tadashi, TerrierLover, TrungOre, VAD37, WatchPug, antonttc, catchup, defsec, delfin454000, dirk_y, eccentricexit, ellahi, fatherOfBlocks, gzeon, hake, hansfriese, hickuphh3, horsefacts, ilan, joestakey, kebabsec, kenta, kenzo, marximimus, minhquanym, noobie, oyc_109, p4st13r4, pauliax, rajatbeladiya, reassor, rfa, robee, rotcivegaf, saian, samruna, shenwilly, shung, simon135, slywaters, sorrynotsorry, throttle, unforgiven, z3s
15.4498 USDC - $15.45
require can be removed as msg.sender can never be zero address. Or do you mean to check require(address(token) != address(0)); ?