search

code-423n4 / 2024-04-revert-mitigation-findings

1 stars 1 forks source link

ADD-03 MitigationConfirmed #72

Open c4-bot-5 opened 2 months ago

c4-bot-5 commented 2 months ago

Lines of code

Vulnerability details

C4 issue

ADD-03: Some ERC20 can revert on a zero value transfer

Comments

Some ERC20 tokens may revert if the transfer amount is zero when calling ERC20.transfer or ERC20.transferFrom. In numerous locations, Revert allows for these zero token transfers.

Mitigation

PR #28

In the PR, Revert adds a safety check in AutoCompound.withdrawBalances() that checks if the balance is non-zero. If it is non-zero, then _withdrawBalanceInternal() will be called. This ensures that only a non-zero amount ERC20 transfers will occur.

Anything Else We Should Know

I found three functions in the codebase that do not check if the ERC20 transfer amounts are zero. Although these three separate code locations are not mitigated, I believe that this is acceptable. This is because there is no practical purpose for interacting with these three functions with an amount set to zero.

Conclusion

LGTM

c4-judge commented 2 months ago

jhsagd76 marked the issue as satisfactory

c4-judge commented 2 months ago

jhsagd76 marked the issue as confirmed for report