search

code-423n4 / 2022-01-trader-joe-findings

2 stars 0 forks source link

Users' tokens can be stuck inside LaunchEvent if the token doesn't revert on failed transfers #252

Closed code423n4 closed 2 years ago

code423n4 commented 2 years ago

Handle

UncleGrandpa925

Vulnerability details

Impact

Users' tokens can be stuck inside LaunchEvent if the token doesn't revert on failed transfers.

Issue

When users call withdrawIncentives, if for any reasons the token transfer fails & the token doesn't revert but only returns a boolean, the user's incentives will be stuck. This is because once withdrawIncentives is called, user.hasWithdrawnIncentives will be set to true & therefore prevents the user from calling the function a second time.

Only 2 solutions are possible: either the issurer trigger emergency (which will crash the event), or the issurer can call skim & get back the tokens from the PenaltyCollector to manually distribute it to the user.

Recommended Mitigation Steps

Use OZ's SafeTransfer

cryptofish7 commented 2 years ago

Duplicate of #12

dmvt commented 2 years ago

This could result in a loss of funds given the right external conditions.

2 — Med (M): vulns have a risk of 2 and are considered “Medium” severity when assets are not at direct risk, but the function of the protocol or its availability could be impacted, or leak value with a hypothetical attack path with stated assumptions, but external requirements.