raymogg
commented
3 years ago Duplicate of #115
Closed code423n4 closed 3 years ago
raymogg
commented
3 years ago Duplicate of #115
loudoguno
commented
3 years ago changed risk from 1 to 2 as per judges sheet
Handle
pauliax
Vulnerability details
Impact
When transfering erc20 tokens, functions transfer and transferFrom are used. These functions return boolean to indicate if the action was sucessfull, however, none of the usages check the returned value: collateralToken.transferFrom(msg.sender, address(this), rawTokenAmount); IERC20(tracerQuoteToken).transferFrom(msg.sender, address(this), rawTokenAmount); collateralToken.transfer(msg.sender, rawTokenAmount); IERC20(tracerQuoteToken).transfer(msg.sender, rawTokenAmount); IERC20(tracerQuoteToken).transfer(feeReceiver, tempFees);
Recommended Mitigation Steps
There are lots of possible issues with different erc20 tokens (https://github.com/xwvvvvwx/weird-erc20) but the current best practice to deal with it is using SafeERC20: https://docs.openzeppelin.com/contracts/2.x/api/token/erc20#SafeERC20