Platform: Code4rena
Start Date: 11/11/2022
Pot Size: $36,500 USDC
Total HM: 5
Participants: 62
Period: 3 days
Judge: berndartmueller
Id: 181
League: ETH
Rank: 35/62
Findings: 1
Award: $66.81
🌟 Selected for report: 0
🚀 Solo Findings: 0
🌟 Selected for report: rotcivegaf
Also found by: 0x4non, 0xDecorativePineapple, 9svR6w, Trust, V_B, adriro, ajtra, aviggiano, brgltd, carlitox477, chaduke, codexploder, corerouter, joestakey, ladboy233, s3cunda, saian, wait
66.8068 USDC - $66.81
https://github.com/code-423n4/2022-11-non-fungible/blob/main/contracts/Exchange.sol#L212-L227
_returnDust function havent check the status after using calls to send the remaining ETH back to caller, which will lead to some ETH locked in protocol when the msg.sender is a contract that do not have receive function.
furthermore, _returnDust function is not using remainingETH as the amount it send to caller, but using selfbalance as the amount, which means if someone's ETH locked in protocol as what I described above, other user can use this function to "steal" the locked ETH in the protocol
function _returnDust() private { uint256 _remainingETH = remainingETH; assembly { if gt(_remainingETH, 0) { let callStatus := call( gas(), caller(), selfbalance(), 0, 0, 0, 0 ) } } }
add a status check in _ReturnDust function, record those failed ETH call allow admin or user to retrieve those locked ETH, using remainingETH as the amount not using selfbalance in order to avoid potential ETH stolen.
#0 - trust1995
2022-11-14T22:32:06Z
Dup of #185
#1 - c4-judge
2022-11-16T11:57:05Z
berndartmueller marked the issue as duplicate of #90
#2 - c4-judge
2022-11-16T11:57:12Z
berndartmueller marked the issue as satisfactory
#3 - c4-judge
2022-12-06T14:17:19Z
berndartmueller changed the severity to 2 (Med Risk)