Denial of Service, Users/Pool owners are not able to withdraw invested funds
Proof of Concept
Pools creation is permissionless. Anyone can propose a pool with any ERC20 token.
However, some tokens don't strictly follow ERC20 standard.
For example, some tokens don't return transfer success confirmation.
In such case, EVM interprets it as false and the whole withdrawal process reverts.
This leads to users and pool owners not being able to retrieve their invested funds.
Lines of code
https://github.com/code-423n4/2022-05-factorydao/blob/main/contracts/PermissionlessBasicPoolFactory.sol#L230
Vulnerability details
Impact
Denial of Service, Users/Pool owners are not able to withdraw invested funds
Proof of Concept
Pools creation is permissionless. Anyone can propose a pool with any ERC20 token. However, some tokens don't strictly follow ERC20 standard. For example, some tokens don't return transfer success confirmation. In such case, EVM interprets it as false and the whole withdrawal process reverts. This leads to users and pool owners not being able to retrieve their invested funds.
https://github.com/code-423n4/2022-05-factorydao/blob/main/contracts/PermissionlessBasicPoolFactory.sol#L230
transfer()
inwithdraw()
function might revert if there is no return value.Tools Used
Manual review
Recommended Mitigation Steps
Consider using
safeTransfer()