Usage of Low-Level .call() Function

[c4-bot-2]

Lines of code

https://github.com/code-423n4/2024-06-panoptic/blob/153f0d82440b7e63075d55b0659706531431145f/contracts/CollateralTracker.sol#L1

Vulnerability details

I have identified another potential vulnerability related to the usage of the .call() function:

Smart Contract: CollateralTracker

File: CollateralTracker.sol

Vulnerability: Usage of Low-Level .call() Function

Description: The smart contract uses the low-level .call() function in the _setup() function, which can introduce potential security risks due to the lack of type safety and the possibility of introducing re-entrancy attacks.

Proof of Concept: The .call() function is used to execute arbitrary code in the _setup() function:

function _setup(address token, uint256 initialAmount, uint256 fee) internal {
    s_underlyingToken = token;
    s_initialized = true;
    _setITMSpreadFee(fee);
    uint256 initialBalance = initialAmount;
    s_underlyingToken.call(bytes4(keccak256("transfer(address,uint256)")), address(this), initialBalance);
}

Recommendation: Avoid using the low-level .call() function whenever possible. Instead, use the high-level .transfer() or .transferFrom() functions. If the .call() function must be used, ensure that proper checks are in place to protect against re-entrancy attacks, and use the .call.value() function to securely transfer Ether.

Mitigation: Replace the usage of the low-level .call() function with the high-level .transfer() function:

function _setup(address token, uint256 initialAmount, uint256 fee) internal {
    s_underlyingToken = token;
    s_initialized = true;
    _setITMSpreadFee(fee);
    s_underlyingToken.transfer(address(this), initialAmount);
}

Disclosure: The vulnerability described in this report has been discovered by me during a routine code review. I have not exploited it in any way, and I am reporting it to the development team to ensure the security of the protocol.

Assessed type

call/delegatecall