search

code-423n4 / 2021-05-visorfinance-findings

0 stars 0 forks source link

Unchecked return value of `transferFrom` in function `timeLockERC20` #69

Closed code423n4 closed 3 years ago

code423n4 commented 3 years ago

Handle

shw

Vulnerability details

Impact

In the function timeLockERC20 (line 610), the return value of IERC20.transferFrom is unchecked. The return value could be false if the transferred token is not ERC20-compliant, indicating that the transfer fails. In that case, the variable timelockERC20Balances will be inconsistent with the vault's actual balance.

Proof of Concept

Referenced code: Visor.sol#L610

Tools Used

None

Recommended Mitigation Steps

Use TransferHelper.safeTransfer instead as in the function timeUnlockERC20 (at line 637).

ghost commented 3 years ago

sponsor confirmed We are considering check in our next version.

ghoul-sol commented 3 years ago

Duplicate of #39