search

code-423n4 / 2021-09-defiprotocol-findings

1 stars 0 forks source link

Unsafe transfer used for bounty rewards #103

Closed code423n4 closed 2 years ago

code423n4 commented 3 years ago

Handle

itsmeSTYJ

Vulnerability details

Impact

Unsafe ERC20 tokens that are compiled before solidity version 0.4.22 will not be able to be transferred out of the contract as the transfer function does not return a value on transfer i.e. they do not 100% comply w/ the current ERC20 token standard.

This means if these unsafe tokens are used to fund the bounty, the tokens are lost forever. You can read more about this here.

Recommended Mitigation Steps

function withdrawBounty(uint256[] memory bountyIds) internal {
    // withdraw bounties
    for (uint256 i = 0; i < bountyIds.length; i++) {
        Bounty memory bounty = _bounties[bountyIds[i]];
        require(bounty.active);

        IERC20(bounty.token).safeTransfer(msg.sender, bounty.amount); // replaced transfer with safeTransfer
        bounty.active = false;

        emit BountyClaimed(msg.sender, bounty.token, bounty.amount, bountyIds[i]);
    }
}
frank-beard commented 3 years ago

duplicate of https://github.com/code-423n4/2021-09-defiprotocol-findings/issues/196

GalloDaSballo commented 2 years ago

Duplicate of #196