search

code-423n4 / 2022-11-size-findings

1 stars 0 forks source link

Solmate safetransfer and safetransferfrom doesnot check the codesize of the token address, which may lead to fund loss #309

Closed code423n4 closed 1 year ago

code423n4 commented 1 year ago

Lines of code

https://github.com/code-423n4/2022-11-size/blob/main/src/SizeSealed.sol#L163

Vulnerability details

Impact

In bid function, the safetransferfrom function doesn't check the existence of code at the token address. This is a known issue while using solmate's libraries. Hence this may lead to miscalculation of funds and may lead to loss of funds , because if safetransferfrom() is called on a token address that doesn't have contract in it, it will always return success, bypassing the return value check. Due to this protocol will think that funds has been transferred and successful , and records will be accordingly calculated, but in reality funds were never transferred. So this will lead to miscalculation and possibly loss of funds

Proof of Concept

https://github.com/code-423n4/2022-11-size/blob/main/src/SizeSealed.sol#L163

Tools Used

Manual review

Recommended Mitigation Steps

As implemented for baseToken in createAuction function, same implementation will also resolve the above issue. Also instead of that, you could use Openzeppelin's library.

trust1995 commented 1 year ago

Seller can theoretically suffer from abuse if they finalize an auction where malicious buyers bid with nonexisting tokens. However, only seller can be impacted negatively, and it requires serious negligence on their part. Dup of #318 .

c4-judge commented 1 year ago

0xean marked the issue as duplicate

c4-judge commented 1 year ago

0xean marked the issue as satisfactory