search

code-423n4 / 2021-06-tracer-findings

1 stars 0 forks source link

Return values of ERC20 `transfer` and `transferFrom` are unchecked #134

Closed code423n4 closed 3 years ago

code423n4 commented 3 years ago

Handle

shw

Vulnerability details

Impact

In some contracts (e.g., TracerPerpetualSwaps.sol), the return values of ERC20 transfer and transferFrom are not checked to be true, which could be false if the transferred tokens are not ERC20-compliant. In that case, the transfer fails without being noticed by the calling contract.

Proof of Concept

Referenced code: Code using transfer: TracerPerpetualSwaps.sol#L203 TracerPerpetualSwaps.sol#L514 Insurance.sol#L97 SafetyWithdraw.sol#L13

Code using transferFrom: TracerPerpetualSwaps.sol#L151 Insurance.sol#L51

Recommended Mitigation Steps

Use the SafeERC20 library implementation from Openzeppelin and call safeTransfer or safeTransferFrom when transferring ERC20 tokens.

raymogg commented 3 years ago

Duplicate of #115

loudoguno commented 3 years ago

change risk from 1 to 2 as per judges sheet