search

code-423n4 / 2021-06-tracer-findings

1 stars 0 forks source link

TracerPerpetualSwaps ERC20 return values not checked #97

Closed code423n4 closed 3 years ago

code423n4 commented 3 years ago

Handle

cmichel

Vulnerability details

The ERC20.transfer() and ERC20.transferFrom() functions return a boolean value indicating success. This parameter should be checked for success. The TracerPerpetualSwaps.deposit, TracerPerpetualSwaps.withdraw and TracerPerpetualSwaps.withdrawFees functions do not check the return value:

// deposit
IERC20(tracerQuoteToken).transferFrom(msg.sender, address(this), rawTokenAmount);

// withdraw
IERC20(tracerQuoteToken).transfer(msg.sender, rawTokenAmount);

// withdrawFees
IERC20(tracerQuoteToken).transfer(feeReceiver, tempFees);

Impact

Some tokens do not revert if the transfer failed but return false instead. Tokens that don't actually perform the transfer and return false are still counted as a correct transfer.

Recommended Mitigation Steps

We recommend using OpenZeppelin’s SafeERC20 versions with the safeTransfer and safeTransferFrom functions that handle the return value check as well as non-standard-compliant tokens.

raymogg commented 3 years ago

Duplicate of #115

cemozerr commented 3 years ago

Marking this as it seems to be duplicate of https://github.com/code-423n4/2021-06-tracer-findings/issues/96, from the same user.