Skip to content
New issue

Have a question about this project? # for a free GitHub account to open an issue and contact its maintainers and the community.

#

By clicking “#”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? # to your account

Jump to bottom

Using "transfer/transferFrom" instead of "safeTransfer/safeTransferFrom" #425

Closed
code423n4 opened this issue Jul 14, 2022 · 2 comments
Closed

Using "transfer/transferFrom" instead of "safeTransfer/safeTransferFrom" #425

code423n4 opened this issue Jul 14, 2022 · 2 comments
Labels
bug Warden finding duplicate Another warden found this issue QA (Quality Assurance) Assets are not at risk. State handling, function incorrect as to spec, issues with clarity, syntax

Comments

@code423n4
Copy link
Contributor

Lines of code

https://github.com/code-423n4/2022-07-fractional/blob/e2c5a962a94106f9495eb96769d7f60f7d5b14c9/src/modules/protoforms/BaseVault.sol#L65

Vulnerability details

Impact

Using transfer and transferFrom instead of their safe alternatives may result in transactions fail silently.

Proof of Concept

Using token transferFrom functions instead of safeTransferFrom (BaseVault.sol#L65) which is discouraged and can cause tokens to be stuck in the case of the transaction not reverting on failed transfers. There’s also precedents of this vulnerability as seen here
code-423n4/2022-01-trader-joe-findings#12

Tools Used

Manual code review

Recommended Mitigation Steps

We suggest you to check all of your contracts and fix this issue by implementing safeTransfer and safeTransferFrom instead of transfer and transferFrom where applicable.
@code423n4 code423n4 added 2 (Med Risk) Assets not at direct risk, but function/availability of the protocol could be impacted or leak value bug Warden finding labels Jul 14, 2022
code423n4 added a commit that referenced this issue Jul 14, 2022
@code423n4
kebabsec issue #425
f070bf0
@stevennevins stevennevins added the duplicate Another warden found this issue label Jul 21, 2022
@stevennevins
Copy link
Collaborator

Duplicate of #312

@stevennevins stevennevins marked this as a duplicate of #312 Jul 21, 2022
@HardlyDifficult
Copy link
Collaborator

Agree with the sponsor that this is a non-critical best practice. Transfers may fail but no events are emitted, balance doesn't change, and no other negative consequences were identified.

Merging with the warden's QA report #450

@HardlyDifficult HardlyDifficult added QA (Quality Assurance) Assets are not at risk. State handling, function incorrect as to spec, issues with clarity, syntax and removed 2 (Med Risk) Assets not at direct risk, but function/availability of the protocol could be impacted or leak value labels Jul 26, 2022
@HardlyDifficult HardlyDifficult mentioned this issue Jul 26, 2022
Open
# for free to join this conversation on GitHub. Already have an account? # to comment
Assignees
No one assigned
Labels
bug Warden finding duplicate Another warden found this issue QA (Quality Assurance) Assets are not at risk. State handling, function incorrect as to spec, issues with clarity, syntax
Projects
None yet
Milestone
No milestone
Development

No branches or pull requests
3 participants
@stevennevins @HardlyDifficult @code423n4