search

code-423n4 / 2023-10-wildcat-findings

14 stars 10 forks source link

Invalid validation of `releaseEscrow()` success #612

Closed c4-submissions closed 1 year ago

c4-submissions commented 1 year ago

Lines of code

https://github.com/code-423n4/2023-10-wildcat/blob/c5df665f0bc2ca5df6f06938d66494b11e7bdada/src/WildcatSanctionsEscrow.sol#L33-L41

Vulnerability details

Impact

WildcatSanctionsEscrow.releaseEscrow() does not return any value on failure/sucess. This would cause external smart contracts utilising releaseEscrow() to not be able to track the success status. Even though the function emits the EscrowReleased event, events are not accessible from within contracts.

Proof of Concept

    function releaseEscrow() public override {
        if (!canReleaseEscrow()) revert CanNotReleaseEscrow();

        uint256 amount = balance();

        IERC20(asset).transfer(account, amount);

        emit EscrowReleased(account, asset, amount);
    }

WildcatSanctionsEscrow.sol#L33-L41

Tools Used

Manual Review

Recommended Mitigation Steps

Return a boolean return value to track if the release was successful.

Assessed type

Invalid Validation

c4-pre-sort commented 1 year ago

minhquanym marked the issue as low quality report

minhquanym commented 1 year ago

QA

c4-judge commented 1 year ago

MarioPoneder changed the severity to QA (Quality Assurance)

c4-judge commented 1 year ago

MarioPoneder marked the issue as grade-c