Closed code423n4 closed 11 months ago
0xSorryNotSorry marked the issue as primary issue
this was specifically marked as out of scope in the contest description
Comptroller _rescueFunds function does not check the return value of transfer. This is expected.
ElliotFriedman marked the issue as sponsor disputed
Out of scope
alcueca marked the issue as unsatisfactory: Invalid
Lines of code
https://github.com/code-423n4/2023-07-moonwell/blob/4aaa7d6767da3bc42e31c18ea2e75736a4ea53d4/src/core/Comptroller.sol#L965 https://github.com/code-423n4/2023-07-moonwell/blob/4aaa7d6767da3bc42e31c18ea2e75736a4ea53d4/src/core/Comptroller.sol#L967
Vulnerability details
Impact
Tokens that don’t actually perform the transfer and return false are still counted as a correct transfer and the tokens remain in the SingleNativeTokenExitV2 contract and could potentially be stolen by someone else.
Proof of Concept
The ERC20.transfer() and ERC20.transferFrom() functions return a boolean value indicating success. This parameter needs to be checked for success. Some tokens do not revert if the transfer failed but return false instead.
Tools Used
Recommended Mitigation Steps
We recommend using OpenZeppelin’s
SafeERC20
versions with thesafeTransfer
andsafeTransferFrom
functions that handle the return value check as well as non-standard-compliant tokens.Assessed type
ERC20