Due to unchecked return value of transferFrom() in https://github.com/code-423n4/2022-05-factorydao/blob/main/contracts/PermissionlessBasicPoolFactory.sol#L144 , it is possible to fund a pool during creation without transferring tokens to use as rewardTokens and create a rewardFunding at no cost.
Lines of code
https://github.com/code-423n4/2022-05-factorydao/blob/main/contracts/PermissionlessBasicPoolFactory.sol#L144-L146
Vulnerability details
Impact
Due to unchecked return value of transferFrom() in
https://github.com/code-423n4/2022-05-factorydao/blob/main/contracts/PermissionlessBasicPoolFactory.sol#L144
, it is possible to fund a pool during creation without transferring tokens to use as rewardTokens and create a rewardFunding at no cost.Proof of Concept
https://github.com/code-423n4/2022-05-factorydao/blob/main/contracts/PermissionlessBasicPoolFactory.sol#L144-L146
Tools Used
Manual review
Recommended Mitigation Steps
Use the SafeERC20 library implementation from Openzeppelin and call safeTransfer or safeTransferFrom when transferring ERC20 tokens.