Revolution Protocol - n1punp's results

Lines of code

https://github.com/code-423n4/2023-12-revolutionprotocol/blob/main/packages/revolution/src/ERC20TokenEmitter.sol#L177-L184

Vulnerability details

Impact

Leftover ETH may get stuck in ERC20TokenEmitter forever.

Proof of Concept

When a user calls buyToken , the user pays Ether to the token emitter contract. The ETH then gets split and transferred to other relevant parties like builder, referral, deployer, treasury, and creators. In the function, msgValueRemaining is calculated after the ether amount is split between builder, referrer, and deployer (the ethers are transferred to protocolRewards contract).

uint256 msgValueRemaining = _handleRewardsAndGetValueToSend(
            msg.value,
            protocolRewardsRecipients.builder,
            protocolRewardsRecipients.purchaseReferral,
            protocolRewardsRecipients.deployer
        );

After that, the remaining amount is further split to treasury and creators:

uint256 toPayTreasury = (msgValueRemaining * (10_000 - creatorRateBps)) / 10_000;
uint256 creatorDirectPayment = ((msgValueRemaining - toPayTreasury) * entropyRateBps) / 10_000;

Now, the only transfers of this msgValueRemaining remaining ETH is only to these 2 parties (treasury and creator) in the following lines:

(bool success, ) = treasury.call{ value: toPayTreasury }(new bytes(0));
require(success, "Transfer failed.");
if (creatorDirectPayment > 0) {
    (success, ) = creatorsAddress.call{ value: creatorDirectPayment }(new bytes(0));
    require(success, "Transfer failed.");
}

Other than these lines, there are no other functions that allow outflow of the ether in the contract, so the leftover ETH will not be retrievable.

Tools Used

Manual Review

Recommended Mitigation Steps

Some options are:

• Consider implementing an access-controlled function to withdraw remaining ETH
• Transfer the remaining ETH to handle in another contract, or
• Make certain assertion on the msg.value to prevent leftover ETH.

Assessed type

Payable