Use safeTransfer/safeTransferFrom consistently instead of transfer/transferFrom #12
Labels
2 (Med Risk)
Assets not at direct risk, but function/availability of the protocol could be impacted or leak value
bug
Something isn't working
sponsor confirmed
Sponsor agrees this is a problem and intends to fix it (OK to use w/ "disagree with severity")
Comments
code423n4
added
1 (Low Risk)
This was referenced Jan 31, 2022
cryptofish7
added
the
sponsor confirmed
This was referenced Feb 10, 2022
Closed
Closed
dmvt
added
2 (Med Risk)
|
This could result in a loss of funds given the right external conditions. |
This was referenced May 1, 2022
|
To test, I did this: on ...
"test:TEMP": "NODE_ENV=test ETHERNAL_ENABLED=false hardhat test --grep \"should process subsequent withdrawals of all supported tokens successfully\" --parallel",
...Every vault fails: |
# for free
to join this conversation on GitHub.
Already have an account?
# to comment
Handle
cccz
Vulnerability details
Impact
It is good to add a require() statement that checks the return value of token transfers or to use something like OpenZeppelin’s safeTransfer/safeTransferFrom unless one is sure the given token reverts in case of a failure. Failure to do so will cause silent failures of transfers and affect token accounting in contract.
Proof of Concept
https://github.com/code-423n4/2022-01-trader-joe/blob/main/contracts/LaunchEvent.sol#L457
https://github.com/code-423n4/2022-01-trader-joe/blob/main/contracts/LaunchEvent.sol#L463
https://github.com/code-423n4/2022-01-trader-joe/blob/main/contracts/LaunchEvent.sol#L489
https://github.com/code-423n4/2022-01-trader-joe/blob/main/contracts/LaunchEvent.sol#L513
https://github.com/code-423n4/2022-01-trader-joe/blob/main/contracts/LaunchEvent.sol#L537
Tools Used
Manual analysis
Recommended Mitigation Steps
Consider using safeTransfer/safeTransferFrom or require() consistently.
The text was updated successfully, but these errors were encountered: