loss of gas for the user because of not using msg.value #130
Labels
2 (Med Risk)
Assets not at direct risk, but function/availability of the protocol could be impacted or leak value
bug
Something isn't working
disagree with severity
Sponsor confirms validity, but disagrees with warden’s risk assessment (sponsor explain in comments)
invalid
This doesn't seem right
responded
The Holograph team has reviewed and responded
sponsor confirmed
Sponsor agrees this is a problem and intends to fix it (OK to use w/ "disagree with severity")
Comments
code423n4
added
2 (Med Risk)
|
Valid but low risk. |
gzeoneth
added
the
disagree with severity
Closed
|
Low risk, but true. The suggestion above can be added. |
alexanderattar
added
sponsor confirmed
|
Upon further review, (LayerZeroModule.sol#L227)(https://github.com/code-423n4/2022-10-holograph/blob/f8c2eae866280a1acfdc8a8352401ed031be1373/contracts/module/LayerZeroModule.sol#L227) is exclusively used in HolographOperator.sol#L640. The |
53 tasks
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
Lines of code
https://github.com/code-423n4/2022-10-holograph/blob/f8c2eae866280a1acfdc8a8352401ed031be1373/contracts/module/LayerZeroModule.sol#L241
Vulnerability details
Impact
This could cause problems, since if the user sends 10,000 weis and puts the value 1,000 weis in the parameter, he would be losing 9,000 weis in the contract that he could not recover.
This is necessary to do since we cannot trust the Operator contract to validate it, the implementation may change.
Recommended Mitigation Steps
Make the send() function either request that msg.value == msgValue or directly use msg.value or as a last possible solution, make it return the non-excess gas.
The text was updated successfully, but these errors were encountered: