ADD-03: Some ERC20 can revert on a zero value transfer
Comments
Some ERC20 tokens may revert if the transfer amount is zero when calling ERC20.transfer or ERC20.transferFrom. In numerous locations, Revert allows for these zero token transfers.
Mitigation
PR #28
In the PR, Revert adds a safety check in AutoCompound.withdrawBalances() that checks if the balance is non-zero. If it is non-zero, then _withdrawBalanceInternal() will be called. This ensures that only a non-zero amount ERC20 transfers will occur.
Anything Else We Should Know
I found three functions in the codebase that do not check if the ERC20 transfer amounts are zero. Although these three separate code locations are not mitigated, I believe that this is acceptable. This is because there is no practical purpose for interacting with these three functions with an amount set to zero.
Lines of code
Vulnerability details
C4 issue
ADD-03: Some ERC20 can revert on a zero value transfer
Comments
Some ERC20 tokens may revert if the transfer amount is zero when calling ERC20.transfer or ERC20.transferFrom. In numerous locations, Revert allows for these zero token transfers.
Mitigation
PR #28
In the PR, Revert adds a safety check in AutoCompound.withdrawBalances() that checks if the
balance
is non-zero. If it is non-zero, then_withdrawBalanceInternal()
will be called. This ensures that only a non-zero amount ERC20 transfers will occur.Anything Else We Should Know
I found three functions in the codebase that do not check if the ERC20 transfer amounts are zero. Although these three separate code locations are not mitigated, I believe that this is acceptable. This is because there is no practical purpose for interacting with these three functions with an amount set to zero.
Conclusion
LGTM