Upgraded Q -> H from 94 [1655957384739]

code423n4 commented 2 years ago

Judge has assessed an item in Issue #94 as High risk. The relevant finding follows:

2. Return values of `transfer()`/`transferFrom()` not checked

Not all IERC20 implementations revert() when there's a failure in transfer()/transferFrom(). The function signature has a boolean return value and they indicate errors that way instead. By not checking the return value, operations that should have marked as failed, may potentially go through without actually making a payment

File: /contracts/MerkleVesting.sol   #1

173           IERC20(tree.tokenAddress).transfer(destination, currentWithdrawal);

https://github.com/code-423n4/2022-05-factorydao/blob/e22a562c01c533b8765229387894cc0cb9bed116/contracts/MerkleVesting.sol#L173

gititGoro commented 2 years ago

duplicate of #130

0xSorryNotSorry commented 2 years ago

Hi guys. I have the same in my QA report (on top) - https://github.com/code-423n4/2022-05-factorydao-findings/issues/236 I believe this one is also in other wardens' submissions. Looks like it's somehow missed. @gititGoro @JeeberC4

code-423n4 / 2022-05-factorydao-findings