Nice Mercurial Albatross
Medium
In any Ethereum transaction, the value of msg.value is a constant, representing the amount of ether sent with the transaction. If this variable is used in a loop with an expectation that it will be applied each time the loop runs, the code may be vulnerable to exploit by an attacker who can effectively reuse the same ether payment repeatedly.
The vulnerable code is located here:
// https://github.com/sherlock-audit/2024-12-ethos-update/blob/main/ethos/packages/contracts/contracts/ReputationMarket.sol#L460
while (totalCostIncludingFees > msg.value) {
// https://github.com/sherlock-audit/2024-12-ethos-update/blob/main/ethos/packages/contracts/contracts/ReputationMarket.sol#L486
uint256 refund = msg.value - totalCostIncludingFees;Remediation and mitigation: To mitigate this bug, assign msg.value to a variable.
+ uint256 varValue = msg.value;
+ while (totalCostIncludingFees > varValue) {
- while (totalCostIncludingFees > msg.value) {
+ uint256 refund = varValue - totalCostIncludingFees;
- uint256 refund = msg.value - totalCostIncludingFees;
}The function now checks the dynamic varValue, rather than the invariant msg.value variable, to ensure that the buyer has paid for each individual vote.