The transferFrom function is used to transfer tokens that are being locked. Within this scope, no-revert tokens are included, which return a boolean set to false if the transaction fails. Since this return value is not checked in LockManager.sol::lock, an attacker can send nonexistent funds that are incorrectly accounted for as locked tokens. This vulnerability allows the attacker to subsequently drain the funds of other users.
function _lock(
...
// Transfer erc tokens
if (_tokenContract != address(0)) {
IERC20 token = IERC20(_tokenContract);
@> token.transferFrom(_tokenOwner, address(this), _quantity);
}
...
Proof of Concept
For a Poc related to this issue, the NoRevert.sol contract example found in Github is used. Deploy the contract in the current test suite in MunchablesTest.sol and configure it similarly to USDB, ETH and WETH. Once this is done you can run the following function:
Lines of code
https://github.com/code-423n4/2024-05-munchables/blob/57dff486c3cd905f21b330c2157fe23da2a4807d/src/managers/LockManager.sol#L374-L377
Vulnerability details
Impact
The
transferFrom
function is used to transfer tokens that are being locked. Within this scope, no-revert tokens are included, which return a boolean set to false if the transaction fails. Since this return value is not checked inLockManager.sol::lock
, an attacker can send nonexistent funds that are incorrectly accounted for as locked tokens. This vulnerability allows the attacker to subsequently drain the funds of other users.Proof of Concept
For a Poc related to this issue, the
NoRevert.sol
contract example found in Github is used. Deploy the contract in the current test suite inMunchablesTest.sol
and configure it similarly to USDB, ETH and WETH. Once this is done you can run the following function:Tools Used
Manual review.
Recommended Mitigation Steps
Use SafeERC20 library from OppenZeppelin in
LockManager.sol::lock
:Assessed type
ERC20