Obedient Lava Monkey
Medium
The failure to refund the entire excess ETH when msg.value > paybackAmount will cause ETH loss for users as the contract may retain unclaimed dust ETH if the exact refund logic is not implemented correctly.
In WrappedTokenGatewayV3.sol, the contract refunds excess ETH after depositing paybackAmount to WETH, but does not account for edge cases where dust ETH (remaining small fractions) might remain in the contract due to rounding issues.
Contracts interacting with msg.value often deal with rounding issues or leftover ETH. This is particularly true when interacting with contracts like WETH or POOL, which may have rounding discrepancies or fixed-point arithmetic constraints.
In repayETH:
if (msg.value > paybackAmount) _safeTransferETH(msg.sender, msg.value - paybackAmount);The contract only refunds the explicit difference between msg.value and paybackAmount. However, dust ETH can remain in the contract due to:
- Rounding discrepancies in
WETH.deposit. - Small mismatches when converting ETH to WETH or handling fractional amounts.
- User calls
repayETHwithmsg.valuegreater than the debt being repaid (paybackAmount).
- Rounding discrepancies arise in WETH’s
depositfunction or the pool’s internal handling of debt.
- User sends
msg.valueslightly greater than the actual repayment amount (e.g., to ensure full coverage). - Contract performs repayment but refunds only the computed difference (
msg.value - paybackAmount). - Dust ETH remains in the contract, which the user cannot retrieve, resulting in ETH loss over multiple transactions.
The user suffers a loss of residual ETH (dust ETH) left in the contract after repayment. Over time, this could accumulate significantly for high-traffic contracts.
No response
Ensure all residual ETH is refunded to the user after the repayment is completed. Modify repayETH as follows:
if (address(this).balance > 0) {
_safeTransferETH(msg.sender, address(this).balance);
}