: The flashloan function in the code you provided does not check if the amount of ERC1155 tokens being flashed is available. This could lead to a situation where the function fails to complete because the caller does not have enough ERC1155 tokens to transfer. This bug pertains to the lack of a check to verify if the caller has enough ERC1155 tokens available for transfer. As a result, the function may proceed with the transfer even if the caller does not have a sufficient balance of ERC1155 tokens, potentially causing the function to fail.
Impact:
The impact of this bug is substantial and can lead to various issues:
Financial Impact: If the caller does not have a sufficient balance of ERC1155 tokens, the function may fail to complete as expected, potentially resulting in financial losses for users or contract operators.
Security Risk: The absence of this check can open up vulnerabilities that malicious actors might exploit. They could intentionally trigger the function without having the necessary tokens, causing disruptions or financial harm.
Recommendation:
To address this , take the following steps:
1 . Locate the ERC1155 block in the flashloan function's code:
else if (info.tokenType == IDelegateRegistry.DelegationType.ERC1155) {
RegistryHelpers.revertERC1155FlashAmountUnavailable(delegateRegistry, info);
// Check if the caller has enough ERC1155 tokens to transfer
require(IERC1155(info.tokenContract).balanceOf(address(this), info.tokenId) >= info.amount, "Insufficient balance for ERC1155 transfer");
TransferHelpers.checkERC1155BeforePull(erc1155PullAuthorization, info.amount);
IERC1155(info.tokenContract).safeTransferFrom(address(this), info.receiver, info.tokenId, info.amount, "");
Helpers.revertOnCallingInvalidFlashloan(info);
TransferHelpers.pullERC1155AfterCheck(erc1155PullAuthorization, info.amount, info.tokenContract,
info.tokenId);
}
Implement the ERC1155 balance check as shown above. This check ensures that the caller has enough ERC1155 tokens to complete the transfer.
Lines of code
https://github.com/code-423n4/2023-09-delegate/blob/main/src/DelegateToken.sol#L389
Vulnerability details
Description:
: The flashloan function in the code you provided does not check if the amount of ERC1155 tokens being flashed is available. This could lead to a situation where the function fails to complete because the caller does not have enough ERC1155 tokens to transfer. This bug pertains to the lack of a check to verify if the caller has enough ERC1155 tokens available for transfer. As a result, the function may proceed with the transfer even if the caller does not have a sufficient balance of ERC1155 tokens, potentially causing the function to fail.
Impact:
The impact of this bug is substantial and can lead to various issues:
Financial Impact: If the caller does not have a sufficient balance of ERC1155 tokens, the function may fail to complete as expected, potentially resulting in financial losses for users or contract operators.
Security Risk: The absence of this check can open up vulnerabilities that malicious actors might exploit. They could intentionally trigger the function without having the necessary tokens, causing disruptions or financial harm.
Recommendation:
To address this , take the following steps:
1 . Locate the ERC1155 block in the flashloan function's code:
Implement the ERC1155 balance check as shown above. This check ensures that the caller has enough ERC1155 tokens to complete the transfer.
Tools used
Manual review
Assessed type
Invalid Validation