Open code423n4 opened 2 years ago
Per warden cryptphi, items 1-4, etc need to be added to the PoC section.
Duplicated of #24 at Use safeTransfer/safeTransferFrom consistently instead of transfer/transferFrom
Disagree with severity, must be a QA because Alice can't call Withdrawer.withdraw() via the Yearn operator without providing her funds from the NestedReserve to the NestedFactory.
NestedFactory does not have any funds.
Will downgrade to QA
as the pre-condition for the High severity won't stand
Lines of code
https://github.com/code-423n4/2022-06-nested/blob/main/contracts/Withdrawer.sol#L26
Vulnerability details
Impact
The Withdrawer contract has a function
withdraw()
which calls an unsafe transferFrom(). A call to transferFrom is frequently done without checking the results. For certain ERC20 tokens, if insufficient tokens are present, no revert occurs but a result of "false" is returned. As explained in https://consensys.net/diligence/audits/2021/01/fei-protocol/#unchecked-return-value-for-iweth-transfer-callAnd in this function case, if the
weth.transferFrom()
returns false, it would continue the call to withdraw token from the contract and send it to the caller. Thus a user could withdraw free tokens, and eventually some users will be unable to withdraw their tokens.Proof of Concept
https://github.com/code-423n4/2022-06-nested/blob/main/contracts/Withdrawer.sol#L26
This may be possible in a direct call by Alice or a call from YearnCurveVaultOperator contract in https://github.com/code-423n4/2022-06-nested/blob/main/contracts/operators/Yearn/YearnCurveVaultOperator.sol#L81
Tools Used
Manual review
Recommended Mitigation Steps
Check the result of transferFrom and transfer. Or making use of SafeERC20 library: safeTransfer and safeTransferFrom would be recommended