KenzoAgada
commented
2 years ago Not a real issue, looks like copy-paste from Slither without checking relevancy.
Closed code423n4 closed 2 years ago
KenzoAgada
commented
2 years ago Not a real issue, looks like copy-paste from Slither without checking relevancy.
Lines of code
https://github.com/code-423n4/2022-06-illuminate/blob/main/lender/Lender.sol#L178 https://github.com/code-423n4/2022-06-illuminate/blob/main/lender/Lender.sol#L221 https://github.com/code-423n4/2022-06-illuminate/blob/main/lender/Lender.sol#L229 https://github.com/code-423n4/2022-06-illuminate/blob/main/lender/Lender.sol#L416 https://github.com/code-423n4/2022-06-illuminate/blob/main/lender/Lender.sol#L469 https://github.com/code-423n4/2022-06-illuminate/blob/main/lender/Lender.sol#L530 https://github.com/code-423n4/2022-06-illuminate/blob/main/lender/Lender.sol#L585 https://github.com/code-423n4/2022-06-illuminate/blob/main/lender/Lender.sol#L628 https://github.com/code-423n4/2022-06-illuminate/blob/main/lender/Lender.sol#L654
Vulnerability details
Impact
Configuration
Check: unused-return Severity: Medium Confidence: Medium Description: The return value of this external call is not stored in a local or state variable. Unused return values of function calls are indicative of programmer errors which may have unexpected behavior. (Total of nine instances of the particular vulnerability)
--Lender.mint(uint8,address,uint256,uint256) (Lender.sol#167-183) ignores return value by IERC5095(principalToken(u,m)).mint(msg.sender,a) (Lender.sol#178)
--Lender.lend(uint8,address,uint256,uint256,address) (Lender.sol#192-235) ignores return value by IERC5095(principalToken(u,m)).mint(msg.sender,returned) (Lender.sol#221)
--Lender.lend(uint8,address,uint256,uint256[],address,Swivel.Order[],Swivel.Components[]) (Lender.sol#247-305) ignores return value by ISwivel(swivelAddr).initiate(o,a,s) (Lender.sol#299)
--Lender.lend(uint8,address,uint256,uint256,uint256,uint256) (Lender.sol#377-420) ignores return value by IERC5095(illuminateToken).mint(msg.sender,returned) (Lender.sol#416)
--Lender.lend(uint8,address,uint256,uint256,uint256,uint256,address,address) (Lender.sol#433-473) ignores return value by illuminateToken.mint(msg.sender,returned) (Lender.sol#469)
--Lender.lend(uint8,address,uint256,uint128,uint256,address,address) (Lender.sol#486-534) ignores return value by illuminateToken.mint(msg.sender,returned) (Lender.sol#530)
--Lender.lend(uint8,address,uint256,uint256,uint256,address,address,uint256) (Lender.sol#545-589) ignores return value by IERC5095(principalToken(u,m)).mint(msg.sender,returned) (Lender.sol#585)
--Lender.lend(uint8,address,uint256,uint256) (Lender.sol#597-632) ignores return value by IERC5095(illuminateToken).mint(msg.sender,returned) (Lender.sol#628)
--Lender.yield(address,address,uint256,address) (Lender.sol#641-657) ignores return value by IYield(y).sellBase(r,returned) (Lender.sol#654)
Proof of Concept
https://medium.com/coinmonks/return-values-in-solidity-contracts-2a034b31d553
Example of unused return vulnerability:
contract MyConc{ using SafeMath for uint;
function my_func(uint c, uint b) public{ c.sub(b); } }
MyConc calls sub of SafeMath, but does not store the result in c. As a result, the computation has no effect.
Tools Used
Slither and hardhat
Recommended Mitigation Steps
Ensure that all the return values of the function calls are used.