search

code-423n4 / 2022-08-fiatdao-findings

2 stars 1 forks source link

[H1] Protocol is unusable with some ERC20 tokens #302

Closed code423n4 closed 2 years ago

code423n4 commented 2 years ago

Lines of code

https://github.com/code-423n4/2022-08-fiatdao/blob/fece3bdb79ccacb501099c24b60312cd0b2e4bb2/contracts/VotingEscrow.sol#L546 https://github.com/code-423n4/2022-08-fiatdao/blob/fece3bdb79ccacb501099c24b60312cd0b2e4bb2/contracts/VotingEscrow.sol#L657 https://github.com/code-423n4/2022-08-fiatdao/blob/fece3bdb79ccacb501099c24b60312cd0b2e4bb2/contracts/VotingEscrow.sol#L676 https://github.com/code-423n4/2022-08-fiatdao/blob/fece3bdb79ccacb501099c24b60312cd0b2e4bb2/contracts/VotingEscrow.sol#L426 https://github.com/code-423n4/2022-08-fiatdao/blob/fece3bdb79ccacb501099c24b60312cd0b2e4bb2/contracts/VotingEscrow.sol#L486

Vulnerability details

Impact

​ Protocol unusable for USDT and other bad tokens

Proof of Concept

​ Some ERC20 tokens do not implement correctly EIP-20 standard. They just do not return a boolean in transfer/transferFrom functions and just return void. Asking them for a boolean will always revert and you will be unable to use VotingEscrow for those tokens.

Recommended Mitigation Steps

​ Consider use safeERC20 library from OZ

lacoop6tu commented 2 years ago

Duplicate of #231

gititGoro commented 2 years ago

Upgraded severity for tokens like BNB