search

code-423n4 / 2023-06-stader-findings

1 stars 1 forks source link

Calls transfer()/transferFrom() With IERC20 #289

Closed code423n4 closed 1 year ago

code423n4 commented 1 year ago

Lines of code

https://github.com/code-423n4/2023-06-stader/blob/main/contracts/Auction.sol#L87

Vulnerability details

Calls transfer()/transferFrom() With IERC20

Description

The transfer()/transferFrom() function is a method in the ERC-20 standard for transferring tokens from one address to another.However, this function is not safe for transferring tokens to smart contracts that do not implement the ERC-20 onTokenReceived function. This is because the transferFrom function does not guarantee that the receiving smart contract will handle the transferred tokens correctly, and in some cases, the tokens may be lost forever.On the other hand, the safeTransferFrom function is a safer way to transfer tokens because it first checks whether the receiving address is a contract that implements the onTokenReceived function before transferring the tokens.If the receiving address is not a contract or does not implement the onTokenReceived function, the transfer will fail and the tokens will not be lost.

There are 6 instances of this issue:

https://github.com/code-423n4/2023-06-stader/blob/main/contracts/Auction.sol#L55

https://github.com/code-423n4/2023-06-stader/blob/main/contracts/Auction.sol#L114

https://github.com/code-423n4/2023-06-stader/blob/main/contracts/SDCollateral.sol#L47

https://github.com/code-423n4/2023-06-stader/blob/main/contracts/SocializingPool.sol#L129

https://github.com/code-423n4/2023-06-stader/blob/main/contracts/SDCollateral.sol#L68

https://github.com/code-423n4/2023-06-stader/blob/main/contracts/Auction.sol#L87

Assessed type

ERC20

c4-judge commented 1 year ago

Picodes marked the issue as duplicate of #380

c4-judge commented 1 year ago

Picodes marked the issue as unsatisfactory: Invalid