search

code-423n4 / 2022-01-trader-joe-findings

2 stars 0 forks source link

Unchecked return value for `token.transferFrom` call #232

Closed code423n4 closed 2 years ago

code423n4 commented 2 years ago

Handle

WatchPug

Vulnerability details

It is usually good to add a require-statement that checks the return value or to use something like safeTransferFrom; unless one is sure the given token reverts in case of a failure.

https://github.com/code-423n4/2022-01-trader-joe/blob/a1579f6453bc4bf9fb0db9c627beaa41135438ed/contracts/RocketJoeFactory.sol#L80-L155

/// ...
/// @param _token Token that will be issued through this launch event
/// ...
function createRJLaunchEvent(
    // ...
    address _token,
    // ...
) external override returns (address) {
    // ...
    IERC20(_token).transferFrom(msg.sender, launchEvent, _tokenAmount);
    // ...
}

Recommendation

Consider adding a require-statement or using safeTransferFrom.

cryptofish7 commented 2 years ago

Fix: https://github.com/traderjoe-xyz/rocket-joe/commit/dbd19cc4

dmvt commented 2 years ago

duplicate of #198