#46587 [SC-Low] Overpayment loss in `transferToCoreVault` due to incorrect refund condition

Submitted on Jun 2nd 2025 at 04:58:52 UTC by @nnez for Audit Comp | Flare | FAssets

• Report ID: #46587

• Report Type: Smart Contract

• Report severity: Low

• Target: https://github.com/flare-foundation/fassets/blob/main/contracts/assetManager/library/CoreVault.sol

• Impacts:

  • Contract fails to deliver promised returns, but doesn't lose value

Description

Vulnerability Details

In the transferToCoreVault function, callers must attach enough native token (FLR/SGB) via msg.value to cover a computed transfer fee (transferFeeWei). If they overpay, the contract is intended to refund any excess. The relevant code snippet is:

See: https://github.com/flare-foundation/fassets/blob/main/contracts/assetManager/library/CoreVault.sol#L81-L88

    // pay the transfer fee and return overpaid transfer fee when the difference is larger than gas use
    // (all transfers are guarded by nonReentrant in the facet)
    if (msg.value > transferFeeWei + Transfers.TRANSFER_GAS_ALLOWANCE) {
        Transfers.transferNAT(state.nativeAddress, transferFeeWei);
        Transfers.transferNATAllowFailure(payable(msg.sender), msg.value - transferFeeWei);
    } else {
        Transfers.transferNAT(state.nativeAddress, msg.value);
    }

• TRANSFER_GAS_ALLOWANCE is a gas‐unit constant (100 000 gas) used to cap the gas limit when issuing the refund via a low‐level call. It has no direct relationship with wei or FLR/SGB denominations.

• In the if branch (msg.value > transferFeeWei + TRANSFER_GAS_ALLOWANCE), the contract correctly sends exactly transferFeeWei to the fee recipient and issues a refund of msg.value – transferFeeWei (with a limit gas). This covers any overpayment above the required fee.

• In the else branch, when transferFeeWei ≤ msg.value ≤ transferFeeWei + TRANSFER_GAS_ALLOWANCE), the contract treats the entire msg.value as the fee and does not refund the caller’s overpayment. Since gas costs are deducted separately from the sender’s wallet and do not reduce msg.value, this branch effectively causes any excess between transferFeeWei and transferFeeWei + TRANSFER_GAS_ALLOWANCE to be incorrectly sent to fee receiver.

Example Scenario

Let’s assume:

• transferFeeWei = 1_000_000 wei (0.001 FLR)

• TRANSFER_GAS_ALLOWANCE = 100_000 (gas)

Case – Small Overpayment

• Caller sends msg.value = 1_000_050 wei

• Since 1_000_050 < 1_000_000 + 100_000, the contract enters the else branch

• Result: Entire 1_000_050 wei is forwarded as fee; 50 wei overpayment is not refunded

Thus, only when msg.value falls in the interval:

the contract incorrectly retains any overpayment (send to fee receiver) instead of refunding it.

Impact

The refund logic is incorrect, users overpaying by up to TRANSFER_GAS_ALLOWANCE wei will not be refunded.

Recommended Mitigations

Proof of Concept

Proof-of-Concept

The following test demonstrates that if a fee is paid between [transferFeeWei, transferFeeWei + TRANSFER_GAS_ALLOWANCE], the refund is not triggered due to the misconception on gas consumption (TRANSFER_GAS_ALLOWANCE).

Steps

1. Put the following test in test/integration/fasset-simulation/14-CoreVault.ts

1. Run yarn hardhat test "test/integration/fasset-simulation/14-CoreVault.ts" --grep "nnez - incorrect transfer fee refund"

2. Observe that the test passes (last assert passes)