search

code-423n4 / 2023-05-ajna-findings

2 stars 0 forks source link

Function Selector Of transfer i.e. 0xa9059cbb Is Used Which Will Return True Even On Failed Transfers #385

Closed code423n4 closed 1 year ago

code423n4 commented 1 year ago

Lines of code

https://github.com/code-423n4/2023-05-ajna/blob/main/ajna-grants/src/grants/base/Funding.sol#L125

Vulnerability details

Impact

Function Selector Of transfer Is Used i.e. 0xa9059cbb Which Will Return True Even On Failed Transfers

Proof of Concept

1.) We validate that the selector/calldata used in the execute function is of ERC-20 transfer here https://github.com/code-423n4/2023-05-ajna/blob/main/ajna-grants/src/grants/base/Funding.sol#L125

2.) We execute here in the _execute function https://github.com/code-423n4/2023-05-ajna/blob/main/ajna-grants/src/grants/base/Funding.sol#L63 .

3.) The problem is that ERC-20 transfer returns a bool , and even if the transfer fails , the call return value (bool success) would be true since the call did not revert. Therefore execute function would be processed but no transfer would be done. Use the selector for safeTransfer instead

Tools Used

Manual Analysis , VSCode

Recommended Mitigation Steps

Use the selector for safeTransfer instead

Assessed type

ERC20

Picodes commented 1 year ago

Using ajna token it would revert

c4-judge commented 1 year ago

Picodes marked the issue as unsatisfactory: Invalid