Closed code423n4 closed 1 year ago
SafeTransferLib
is not the same as the Solmate implementation. However, the check for the contract existence is missing as well. Nevertheless, it's the user's responsibility to make sure the interacted tokens are trustworthy. Hence, I'm considering downgrading to QA (Low)
Leaving open for sponsor review.
berndartmueller marked the issue as duplicate of #141
berndartmueller changed the severity to QA (Quality Assurance)
Lines of code
https://github.com/code-423n4/2023-01-numoen/blob/2ad9a73d793ea23a25a381faadc86ae0c8cb5913/src/core/Pair.sol#L14 https://github.com/code-423n4/2023-01-numoen/blob/2ad9a73d793ea23a25a381faadc86ae0c8cb5913/src/core/Lendgine.sol#L14 https://github.com/code-423n4/2023-01-numoen/blob/2ad9a73d793ea23a25a381faadc86ae0c8cb5913/src/periphery/LendgineRouter.sol#L16 https://github.com/code-423n4/2023-01-numoen/blob/2ad9a73d793ea23a25a381faadc86ae0c8cb5913/src/periphery/Payment.sol#L7 https://github.com/code-423n4/2023-01-numoen/blob/2ad9a73d793ea23a25a381faadc86ae0c8cb5913/src/periphery/SwapHelper.sol#L9
Vulnerability details
Impact
Solmate's SafeTransferLib, which is often used to interact with non-compliant/unsafe ERC20 tokens, does not check whether the ERC20 contract exists. The following code will not revert in case the token doesn't exist (yet).
Proof of Concept
This is stated in the Solmate library: https://github.com/transmissions11/solmate/blob/1b3adf677e7e383cc684b5d5bd441da86bf4bf1c/src/utils/SafeTransferLib.sol#L9
File: src/periphery/Payment.sol
File: src/core/Pair.sol
File: src/periphery/LendgineRouter.sol
File: src/core/Lendgine.sol
SafeTransferLib.safeTransfer(token1, to, collateral); // optimistically transfer SafeTransferLib.safeTransfer(token1, to, collateral);
File: src/periphery/SwapHelper.sol
Tools Used
Manual Review
Recommended Mitigation Steps
Add a contract exist control in functions;