_withdraw can fail on zero amount transfers if amount is set to zero

[c4-bot-4]

Lines of code

https://github.com/code-423n4/2024-03-coinbase/blob/main/src/MagicSpend/MagicSpend.sol#L334

Vulnerability details

Impact

Detailed description of the impact of this finding. withdraw amount can be zero, while _withdraw do attempt to send it in such a case anyway as there is no check in place. Some ERC20 tokens do not allow zero value transfers, reverting such attempts.

Proof of Concept

Provide direct links to all referenced code in GitHub. Add screenshots, logs, or any other relevant proof that illustrates the concept.

function _withdraw(address asset, address to, uint256 amount) internal { if (asset == address(0)) { @> SafeTransferLib.safeTransferETH(to, amount); } else { @> SafeTransferLib.safeTransfer(asset, to, amount); } }

Tools Used

Recommended Mitigation Steps

function _withdraw(address asset, address to, uint256 amount) internal { if(amount>0) { if (asset == address(0)) { SafeTransferLib.safeTransferETH(to, amount); } else { SafeTransferLib.safeTransfer(asset, to, amount); } } }

Assessed type

Token-Transfer

[c4-pre-sort]

raymondfam marked the issue as insufficient quality report

[c4-pre-sort]

raymondfam marked the issue as primary issue

[raymondfam]

Bot: [L-13] Some tokens may revert when zero value transfers are made

[c4-judge]

3docSec marked the issue as unsatisfactory: Out of scope