It is good to add a require() statement that checks the return value of token transfers unless one is sure the given token reverts in case of a failure. Failure to do so will cause silent failures of transfers and affect token accounting in contract.
There's only 1 instance of this in the PuttyV2 contract where the caller tries to convert ETH to WETH and transfer the premium to order maker. In the case where the WETH transfer fails and returns false, there is no check that transfer was successful and so the function call continues allowing the user to fill the order without paying premium
Tools Used
Manual review
Recommended Mitigation Steps
Ensure the use of require() to check return value of IWETH.transfer()
Lines of code
https://github.com/code-423n4/2022-06-putty/blob/main/contracts/src/PuttyV2.sol#L336
Vulnerability details
Impact
It is good to add a require() statement that checks the return value of token transfers unless one is sure the given token reverts in case of a failure. Failure to do so will cause silent failures of transfers and affect token accounting in contract.
There's only 1 instance of this in the PuttyV2 contract where the caller tries to convert ETH to WETH and transfer the premium to order maker. In the case where the WETH transfer fails and returns
false
, there is no check that transfer was successful and so the function call continues allowing the user to fill the order without paying premiumTools Used
Manual review
Recommended Mitigation Steps
Ensure the use of require() to check return value of IWETH.transfer()