cryptofish7
commented
2 years ago Duplicate of #232
Open code423n4 opened 2 years ago
cryptofish7
commented
2 years ago Duplicate of #232
dmvt
commented
2 years ago I'm making this the primary description since it best describes the potential problem and the functions potentially effected. Given external factors, this could result in a loss of funds.
2 — Med (M): vulns have a risk of 2 and are considered “Medium” severity when assets are not at direct risk, but the function of the protocol or its availability could be impacted, or leak value with a hypothetical attack path with stated assumptions, but external requirements.
Handle
cmichel
Vulnerability details
The
ERC20.transfer()andERC20.transferFrom()functions return a boolean value indicating success. This parameter needs to be checked for success. Some tokens do not revert if the transfer failed but returnfalseinstead. Tokens that don't actually perform the transfer and returnfalseare still counted as a correct transfer.Recommendation
As the Launch event token can be any token, all interactions with it should follow correct EIP20 checks. We recommend checking the
successboolean of all.transferand.transferFromcalls for the unknowntokencontract.LaunchEvent.withdrawLiquidity:token.transfer(msg.sender, amount);LaunchEvent.withdrawIncentives:token.transfer(msg.sender, amount);LaunchEvent.emergencyWithdraw:token.transfer(msg.sender, amount);LaunchEvent.skim:token.transfer(msg.sender, amount);RocketJoeFactory.createRJLaunchEvent:IERC20(_token).transferFrom(msg.sender, launchEvent, _tokenAmount);