search

code-423n4 / 2022-06-nibbl-findings

1 stars 0 forks source link

Use `safeTransfer/safeTransferFrom` consistently instead of `transfer/transferFrom` #306

Closed code423n4 closed 2 years ago

code423n4 commented 2 years ago

Lines of code

https://github.com/code-423n4/2022-06-nibbl/blob/8c3dbd6adf350f35c58b31723d42117765644110/contracts/Basket.sol#L87

Vulnerability details

Impact

It is good to add a require() statement that checks the return value of token transfers or to use something like OpenZeppelin’s safeTransfer/safeTransferFrom unless one is sure the given token reverts in case of a failure. Failure to do so will cause silent failures of transfers and affect token accounting in contract.

Occurences

https://github.com/code-423n4/2022-06-nibbl/blob/8c3dbd6adf350f35c58b31723d42117765644110/contracts/Basket.sol#L87

https://github.com/code-423n4/2022-06-nibbl/blob/8c3dbd6adf350f35c58b31723d42117765644110/contracts/Basket.sol#L94

https://github.com/code-423n4/2022-06-nibbl/blob/8c3dbd6adf350f35c58b31723d42117765644110/contracts/NibblVault.sol#L517

https://github.com/code-423n4/2022-06-nibbl/blob/8c3dbd6adf350f35c58b31723d42117765644110/contracts/NibblVault.sol#L526

Recommended Mitigation Steps

Consider using safeTransfer/safeTransferFrom or require() consistently.

mundhrakeshav commented 2 years ago

16

HardlyDifficult commented 2 years ago

Agree this is a best practice. But funds are not lost since the user could simply make the necessary corrections and try the call again when the transfer fails. Lowering risk and merging with the warden's QA report #310