Denial of Service, Users/Pool owners are not able to withdraw invested funds
Proof of Concept
Pools creation is permissionless. Anyone can propose a pool with any ERC20 token.
However, some ERC20 tokens don't revert on failed transfer. Instead they return a boolean value.
However, withdraw() function in MerkleVesting.sol doesn't perform the check.
illuzen
commented
2 years ago
Lines of code
https://github.com/code-423n4/2022-05-factorydao/blob/main/contracts/MerkleVesting.sol#L173
Vulnerability details
Impact
Denial of Service, Users/Pool owners are not able to withdraw invested funds
Proof of Concept
Pools creation is permissionless. Anyone can propose a pool with any ERC20 token. However, some ERC20 tokens don't revert on failed transfer. Instead they return a boolean value.
However,
withdraw()function in MerkleVesting.sol doesn't perform the check.If user withdraws but the transfer fails, the system will not revert but will act as if the user's funds were successfully withdrawn. This way, a user directly loses invested money. There is no way to retrieve lost assets. https://github.com/code-423n4/2022-05-factorydao/blob/main/contracts/MerkleVesting.sol#L173
Tools Used
Manual review
Recommended Mitigation Steps
Consider checking the transfer success return value