Open code423n4 opened 3 years ago
strictly-scarce
commented
3 years ago For composabilty with the rest of the ecosystem, this should be addressed, although disagree with the severity, no funds are lost, just the aggregrator cannot transfer unless they first transfer to themselves, which most often do.
Mervyn853
commented
3 years ago Our decision matrix for severity:
0: No-risk: Code style, clarity, off-chain monitoring (events etc), exclude gas-optimisations 1: Low Risk: UX, state handling, function incorrect as to spec 2: Funds-Not-At-Risk, but can impact the functioning of the protocol, or leak value with a hypothetical attack path with stated assumptions, but external requirements 3: Funds can be stolen/lost directly, or indirectly if a valid attack path shown that does not have handwavey hypotheticals.
Recommended: 2
Handle
@cmichelio
Vulnerability details
Vulnerability Details
The
Vader._transferfunction burns the transfer fee onmsg.senderbut this address might not be involved in the transfer at all due totransferFrom.Impact
Smart contracts that simply relay transfers like aggregators have their Vader balance burned or the transaction fails because these accounts don't have any balance to burn, breaking the functionality.
Recommended Mitigation Steps
It should first increase the balance of
recipientby the full amount and then burn the fee on therecipient.