FixedPricePassThruGate locked ether #146
Labels
3 (High Risk)
Assets can be stolen/lost/compromised directly
bug
Something isn't working
duplicate
This issue or pull request already exists
Lines of code
https://github.com/code-423n4/2022-05-factorydao/blob/db415804c06143d8af6880bc4cda7222e5463c0e/contracts/FixedPricePassThruGate.sol#L48
https://github.com/code-423n4/2022-05-factorydao/blob/db415804c06143d8af6880bc4cda7222e5463c0e/contracts/FixedPricePassThruGate.sol#L53
Vulnerability details
Impact
Contract
FixedPricePassThruGate
is a pass thru gate that is passing funds to the gate's beneficiary. FunctionpassThruGate
requires to sendether
that is equal or more thangate.ethCost
. In the case of receiving moreether
thangate.ethCost
,passThruGate
passes to the beneficiary only amount ofgate.ethCost
:Since there is no way to withdraw
ether
it ends up withether
being locked forever in the contract and effectively loss of funds for the user(s).Proof of Concept
FixedPricePassThruGate.sol
:Tools Used
Manual Review / VSCode
Recommended Mitigation Steps
It is recommended to either pass
msg.value
to beneficiary:or make sure that exact amount of
ether
is sent:The text was updated successfully, but these errors were encountered: