The ERC20 specification does not demand implementations to revert when the transfer and transferFrom functions fail. They may use the return value to signal the success code. Some tokens, like ZRX, indeed don't revert.
In Collateral deposit() and withdraw() functions, baseToken transferFrom/transfer is used without checking return code:
baseToken is some ERC20 token chosen to be the underlying collateral of the Collateral.sol ERC20. In the deposit() flow, the impact of not checking transferFrom success is critical. User can mint an infinite amount of Collateral ERC20 tokens.
_mint(_recipient, _collateralMintAmount);.
Therefore, Collateral.sol does not work with ERC20 compatible baseTokens, breaking functionality of the contract.
Note:
unsafe transfer/transferForm is also used in TokenSender.send() and WithdrawHook.hook() functions.
Impact
Collateral.sol does not work with ERC20 compatible baseTokens, breaking functionality of the contract.
Tools Used
Manual audit
Recommended Mitigation Steps
Use SafeERC20 library from OpenZeppelin when interacting with generic ERC20 tokens.
Lines of code
https://github.com/prepo-io/prepo-monorepo/blob/3541bc704ab185a969f300e96e2f744a572a3640/apps/smart-contracts/core/contracts/Collateral.sol#L49
Vulnerability details
Description
The ERC20 specification does not demand implementations to revert when the transfer and transferFrom functions fail. They may use the return value to signal the success code. Some tokens, like ZRX, indeed don't revert.
In Collateral deposit() and withdraw() functions, baseToken transferFrom/transfer is used without checking return code:
baseToken is some ERC20 token chosen to be the underlying collateral of the Collateral.sol ERC20. In the deposit() flow, the impact of not checking transferFrom success is critical. User can mint an infinite amount of Collateral ERC20 tokens.
_mint(_recipient, _collateralMintAmount);
.Therefore, Collateral.sol does not work with ERC20 compatible baseTokens, breaking functionality of the contract.
Note: unsafe transfer/transferForm is also used in TokenSender.send() and WithdrawHook.hook() functions.
Impact
Collateral.sol does not work with ERC20 compatible baseTokens, breaking functionality of the contract.
Tools Used
Manual audit
Recommended Mitigation Steps
Use SafeERC20 library from OpenZeppelin when interacting with generic ERC20 tokens.