search

code-423n4 / 2022-01-trader-joe-findings

2 stars 0 forks source link

Unchecked return value for `token.transfer` call #243

Closed code423n4 closed 2 years ago

code423n4 commented 2 years ago

Handle

WatchPug

Vulnerability details

It is usually good to add a require-statement that checks the return value or to use something like safeTransfer; unless one is sure the given token reverts in case of a failure.

Instances include:

https://github.com/code-423n4/2022-01-trader-joe/blob/a1579f6453bc4bf9fb0db9c627beaa41135438ed/contracts/LaunchEvent.sol#L490-L490

token.transfer(msg.sender, amount);

https://github.com/code-423n4/2022-01-trader-joe/blob/a1579f6453bc4bf9fb0db9c627beaa41135438ed/contracts/LaunchEvent.sol#L458-L458

token.transfer(msg.sender, amount);

https://github.com/code-423n4/2022-01-trader-joe/blob/a1579f6453bc4bf9fb0db9c627beaa41135438ed/contracts/LaunchEvent.sol#L514-L514

token.transfer(issuer, balance);

https://github.com/code-423n4/2022-01-trader-joe/blob/a1579f6453bc4bf9fb0db9c627beaa41135438ed/contracts/LaunchEvent.sol#L538-L538

token.transfer(penaltyCollector, excessToken);

Recommendation

Consider adding a require-statement or using safeTransfer.

cryptofish7 commented 2 years ago

Duplicate of #12

dmvt commented 2 years ago

This could result in a loss of funds given the right external conditions.

2 — Med (M): vulns have a risk of 2 and are considered “Medium” severity when assets are not at direct risk, but the function of the protocol or its availability could be impacted, or leak value with a hypothetical attack path with stated assumptions, but external requirements.