Users could burn/mint JPEG staking tokens for free
Proof of Concept
I dont know if this should be reported as one issue or two.
Both stake() and unstake() functions at JPEGStaking.sol are using the insecure transfer()
and transferFrom(). The problem is that according EIP-20 standard these functions can return false
if the transfer fails. So users could, in some conditions, be burning or minting tokens for free.
I saw that you had already imported OZ library at L12.
using SafeERC20Upgradeable for IERC20Upgradeable;
it is just you called the incorrect transfer function .
Tools Used
Manual code review
Recommended Mitigation Steps
Either use safetransfer() and safetransferFrom() both part of .SafeERC20Upgradeable library or check the output and revert in case of false.
Lines of code
https://github.com/code-423n4/2022-04-jpegd/blob/e72861a9ccb707ced9015166fbded5c97c6991b6/contracts/staking/JPEGStaking.sol#L31-L55
Vulnerability details
Impact
Users could burn/mint JPEG staking tokens for free
Proof of Concept
I dont know if this should be reported as one issue or two.
Both
stake()
andunstake()
functions atJPEGStaking.sol
are using the insecuretransfer()
andtransferFrom()
. The problem is that according EIP-20 standard these functions can return false if the transfer fails. So users could, in some conditions, be burning or minting tokens for free.I saw that you had already imported OZ library at L12.
using SafeERC20Upgradeable for IERC20Upgradeable;
it is just you called the incorrect transfer function .
Tools Used
Manual code review
Recommended Mitigation Steps
Either use
safetransfer()
andsafetransferFrom()
both part of .SafeERC20Upgradeable
library or check the output and revert in case of false.