3.) The problem is that ERC-20 transfer returns a bool , and even if the transfer fails , the call return value
(bool success) would be true since the call did not revert.
Therefore execute function would be processed but no transfer would be done.
Use the selector for safeTransfer instead
Lines of code
https://github.com/code-423n4/2023-05-ajna/blob/main/ajna-grants/src/grants/base/Funding.sol#L125
Vulnerability details
Impact
Function Selector Of transfer Is Used i.e.
0xa9059cbb
Which Will Return True Even On Failed TransfersProof of Concept
1.) We validate that the selector/calldata used in the execute function is of ERC-20 transfer here https://github.com/code-423n4/2023-05-ajna/blob/main/ajna-grants/src/grants/base/Funding.sol#L125
2.) We execute here in the
_execute
function https://github.com/code-423n4/2023-05-ajna/blob/main/ajna-grants/src/grants/base/Funding.sol#L63 .3.) The problem is that ERC-20 transfer returns a bool , and even if the transfer fails , the call return value (bool success) would be true since the call did not revert. Therefore execute function would be processed but no transfer would be done. Use the selector for
safeTransfer
insteadTools Used
Manual Analysis , VSCode
Recommended Mitigation Steps
Use the selector for
safeTransfer
insteadAssessed type
ERC20