search

code-423n4 / 2022-10-thegraph-findings

0 stars 0 forks source link

Unchecked token transfer with callhook #206

Closed code423n4 closed 1 year ago

code423n4 commented 1 year ago

Lines of code

https://github.com/code-423n4/2022-10-thegraph/blob/309a188f7215fa42c745b136357702400f91b4ff/contracts/l2/gateway/L2GraphTokenGateway.sol#L244

Vulnerability details

Impact

Unchecked token transfer are discouraged since some token return false instead of revert on failure. the L2 transaction can revert if the callhook reverts. potentially locking the tokens on the bridge if the callhook never succeeds. this might cause problem in the future.

Proof of Concept

https://github.com/code-423n4/2022-10-thegraph/blob/309a188f7215fa42c745b136357702400f91b4ff/contracts/l2/gateway/L2GraphTokenGateway.sol#L244

Tools Used

Manual review

Recommended Mitigation Steps

ensure the callhook in onTokenTransfer return value is checked.

0xean commented 1 year ago

closing, already documented in the code.