rotcivegaf
commented
2 years ago Duplicate of #427
Closed code423n4 closed 2 years ago
rotcivegaf
commented
2 years ago Duplicate of #427
outdoteth
commented
2 years ago WETH will revert if the transfer fails. So there is no need to check the return value.
Lines of code
https://github.com/code-423n4/2022-06-putty/blob/main/contracts/src/PuttyV2.sol#L336
Vulnerability details
Impact
It is good to add a require() statement that checks the return value of token transfers unless one is sure the given token reverts in case of a failure. Failure to do so will cause silent failures of transfers and affect token accounting in contract.
There's only 1 instance of this in the PuttyV2 contract where the caller tries to convert ETH to WETH and transfer the premium to order maker. In the case where the WETH transfer fails and returns
false, there is no check that transfer was successful and so the function call continues allowing the user to fill the order without paying premiumTools Used
Manual review
Recommended Mitigation Steps
Ensure the use of require() to check return value of IWETH.transfer()