FixedPricePassThruGate.sol
All the msg.value
should be pass thru to gate.beneficiary
instead of gate.ethCost
#154
Labels
3 (High Risk)
Assets can be stolen/lost/compromised directly
bug
Something isn't working
duplicate
This issue or pull request already exists
Lines of code
https://github.com/code-423n4/2022-05-factorydao/blob/db415804c06143d8af6880bc4cda7222e5463c0e/contracts/FixedPricePassThruGate.sol#L46-L56
Vulnerability details
In
FixedPricePassThruGate.sol#passThruGate()
, at L48 themsg.value
is checked to be>= gate.ethCost
instead of== gate.ethCost
, which makes it possible for the caller to send more thangate.ethCost
.However, at L53 only the amount of
gate.ethCost
is passed thru togate.beneficiary
instead of all themsg.value
.https://github.com/code-423n4/2022-05-factorydao/blob/db415804c06143d8af6880bc4cda7222e5463c0e/contracts/FixedPricePassThruGate.sol#L46-L56
As a result, any surplus funds sent by the caller will be stuck in the contract forever, and there is no way for anyone to retrieve them.
Recommendation
Change to:
See also: the implementation of
SpeedBumpPriceGate.sol
correctly forwarded all themsg.value
.https://github.com/code-423n4/2022-05-factorydao/blob/db415804c06143d8af6880bc4cda7222e5463c0e/contracts/SpeedBumpPriceGate.sol#L65-L82
The text was updated successfully, but these errors were encountered: