Platform: Code4rena
Start Date: 11/11/2022
Pot Size: $36,500 USDC
Total HM: 5
Participants: 62
Period: 3 days
Judge: berndartmueller
Id: 181
League: ETH
Rank: 36/62
Findings: 1
Award: $66.81
🌟 Selected for report: 0
🚀 Solo Findings: 0
🌟 Selected for report: rotcivegaf
Also found by: 0x4non, 0xDecorativePineapple, 9svR6w, Trust, V_B, adriro, ajtra, aviggiano, brgltd, carlitox477, chaduke, codexploder, corerouter, joestakey, ladboy233, s3cunda, saian, wait
66.8068 USDC - $66.81
Detailed description of the impact of this finding.
Function _returnDust() is called in _bulkExecute but its return value has never been checked. As a result, if the ETH refund transfer fails, it will be overlooked and the transaction _bulkExecute will complete successfully but the user will lost his ETH In the contract.
Provide direct links to all referenced code in GitHub. Add screenshots, logs, or any other relevant proof that illustrates the concept. https://github.com/code-423n4/2022-11-non-fungible/blob/323b7cbf607425dd81da96c0777c8b12e800305d/contracts/Exchange.sol#L209
Scenario:
Bob created a trade contract C but forgot to include a fallback/receive function to receive eth. He buys some tokens with 10 ETH by executing function _bulkExecute and there are 9 ETH remained after the trade. However, L209 will fail to transfer the ETH back to him but the transaction will compete successfully. Bob lost his 9 ETH to the contract.
Remix
Revise the function _returnDust() so that it will revert when the ETH transfer fails.
function _returnDust() private returns (bool) { uint256 _remainingETH = remainingETH; assembly { if gt(_remainingETH, 0) { let callStatus := call( gas(), caller(), selfbalance(), 0, 0, 0, 0 ) } } if(!callStatus) revert TransferETHFailure(); return callStatus; }
#0 - c4-judge
2022-11-16T11:56:53Z
berndartmueller marked the issue as duplicate of #90
#1 - c4-judge
2022-11-16T11:56:58Z
berndartmueller marked the issue as satisfactory
#2 - c4-judge
2022-12-06T14:10:36Z
berndartmueller changed the severity to 2 (Med Risk)