search

code-423n4 / 2022-03-rolla-findings

1 stars 1 forks source link

No use of upgradeable safeERC20 contracts in Controller.sol #4

Closed code423n4 closed 2 years ago

code423n4 commented 2 years ago

Lines of code

https://github.com/code-423n4/2022-03-rolla/blob/main/quant-protocol/contracts/Controller.sol#L5

Vulnerability details

Impact

Controller.sol makes use of Open Zeppelins ReentrancyGuardUpgradeable.sol in the file but does not use an upgradeable version of SafeERC20.sol

Proof of Concept

https://github.com/code-423n4/2022-03-rolla/blob/main/quant-protocol/contracts/Controller.sol#L5

Tools Used

Manual code review

Recommended Mitigation Steps

Make use of Open Zeppelins upgradeable version of the SafeERC20.sol contract: https://github.com/OpenZeppelin/openzeppelin-contracts-upgradeable/blob/master/contracts/token/ERC20/utils/SafeERC20Upgradeable.sol

alcueca commented 2 years ago

Duplicate of #5 by the same warden.