Detailed description of the impact of this finding.
okens not compliant with the ERC20 specification could return false from the transfer function call to indicate the transfer fails, while the calling contract would not notice the failure if the return value is not checked. Checking the return value is a requirement, as written in the EIP-20 specification:
Proof of Concept
Provide direct links to all referenced code in GitHub. Add screenshots, logs, or any other relevant proof that illustrates the concept.
// Transfer corresponding OLAS amounts to the deposit processor
if (transferAmount > 0) {
IToken(olas).transfer(depositProcessor, transferAmount);
}
Tools Used
Recommended Mitigation Steps
if (transferAmount > 0) {
IToken(olas).safeTransfer(depositProcessor, transferAmount);
}
Lines of code
https://github.com/code-423n4/2024-05-olas/blob/main/tokenomics/contracts/Dispenser.sol#L419 https://github.com/code-423n4/2024-05-olas/blob/main/tokenomics/contracts/Dispenser.sol#L456
Vulnerability details
Impact
Detailed description of the impact of this finding. okens not compliant with the ERC20 specification could return false from the transfer function call to indicate the transfer fails, while the calling contract would not notice the failure if the return value is not checked. Checking the return value is a requirement, as written in the EIP-20 specification:
Proof of Concept
Provide direct links to all referenced code in GitHub. Add screenshots, logs, or any other relevant proof that illustrates the concept.
// Transfer corresponding OLAS amounts to the deposit processor if (transferAmount > 0) { IToken(olas).transfer(depositProcessor, transferAmount); }
Tools Used
Recommended Mitigation Steps
if (transferAmount > 0) { IToken(olas).safeTransfer(depositProcessor, transferAmount); }
Assessed type
Context