search

code-423n4 / 2021-12-amun-findings

0 stars 0 forks source link

Unchecked return value from low-level call() #237

Open code423n4 opened 2 years ago

code423n4 commented 2 years ago

Handle

JMukesh

Vulnerability details

Impact

The return value of the low-level call is not checked, so if the call fails, the Ether will be locked in the contract. If the low level is used to prevent blocking operations, consider logging failed calls.

Proof of Concept

https://github.com/code-423n4/2021-12-amun/blob/98f6e2ff91f5fcebc0489f5871183566feaec307/contracts/basket/contracts/singleJoinExit/EthSingleTokenJoinV2.sol#L26

Tools Used

manual review

Recommended Mitigation Steps

add condition to check return value

0xleastwood commented 2 years ago

Nice find! I think this could be marked as medium as it leaks value from the protocol but it doesn't result in assets being lost directly. It requires _INTERMEDIATE_TOKEN to point to a contract which fails upon wrapping the ETH amount.

0xleastwood commented 2 years ago

So considering that _INTERMEDIATE_TOKEN must be improperly set, I will mark this as medium.