Skip to content

Latest commit

 

History

History
45 lines (27 loc) · 2.32 KB

044.md

File metadata and controls

45 lines (27 loc) · 2.32 KB
Raw

Mysterious Plum Griffin

Medium

Unintended ETH Payment Allowed for Zero-Priced Reviews

Summary

The absence of a check for msg.value when price == 0 in the _handlePayment function allows users to send an arbitrary amount of ETH. Consequently, users can spend more than the intended price, creating an opportunity for excessive, unintended payments when adding reviews if the payment price is set to zero. https://github.com/sherlock-audit/2024-10-ethos-network/blob/main/ethos/packages/contracts/contracts/EthosReview.sol#L481-L493

Root Cause

  • In _handlePayment(address paymentToken), there is a missing msg.value validation for cases where price is zero and paymentToken == address(0):
  • In cases where the review price is set to zero, there is no restriction on the amount of ETH that users can send in msg.value.
  • Example: addReview() will allow an arbitrary ETH payment if paymentToken is address(0) and price is zero.

Internal pre-conditions

  1. The protocol admin sets reviewPrice[address(0)].price to zero for the native ETH payment option in the initialize function.
  2. Users call addReview() and choose address(0) as paymentToken, intending to pay with ETH.
  3. msg.value is allowed to carry any amount since the _handlePayment function does not check msg.value when price == 0.

External pre-conditions

  1. The protocol must allow address(0) as a valid token (for native ETH payments).
  2. Users ETH balances need to be sufficient to send arbitrary amounts in msg.value.

Attack Path

  1. The protocol admin sets the price for reviews to zero for the native token (address(0)).
  2. A user calls addReview() and chooses to pay with ETH, setting paymentToken to address(0) and passing any positive msg.value.
  3. The review is accepted, even though the user paid more than required, resulting in an unintended overpayment.

Impact

The protocol experiences unintended ETH overpayments when users submit reviews with paymentToken set to address(0) and price set to zero. This results in potentially excessive and arbitrary ETH loss for users due to the lack of a strict check on msg.value when no payment is required.

PoC

No response

Mitigation

Add a msg.value == 0 check within _handlePayment to enforce that no ETH is sent if the price for address(0) is zero.