search

code-423n4 / 2022-05-factorydao-findings

1 stars 1 forks source link

QA Report #104

Open code423n4 opened 2 years ago

code423n4 commented 2 years ago

1. Check for zero tokenBalance before depositTokens()

-In MerkleDropFactory.sol#L59, tokenBalance can be check with require(tokenBalance) > 0 to stop zero depoist.

2. ERC20 transfer return value not checked

# Before 
IERC20(tree.tokenAddress).transfer(destination, currentWithdrawal);

# After
require(IERC20(tree.tokenAddress).transfer(destination, currentWithdrawal), "fail message");
illuzen commented 2 years ago
  1. valid
  2. duplicate
gititGoro commented 2 years ago

Note on 2. Not all ERC20 tokens return a boolean. It's safer to perform a low level call and assert that it passed. And even safer to use a battle tested library to do this for you.