Closed howlbot-integration[bot] closed 2 months ago
MiloTruck marked the issue as unsatisfactory: Invalid
MiloTruck marked the issue as not a duplicate
Invalid.
The transfer here is from the caller of handleSlashing()
to the SlashingHandler
contract. The case you pointed out is when the transfer is from the SlashingHandler
contract, if the call was:
SafeTransferLib.safeTransferFrom(address(token), address(this), ..., ...)
Lines of code
https://github.com/code-423n4/2024-07-karak/blob/ab18e1f6c03e118158369527baa2487b2b4616b1/src/SlashingHandler.sol#L52-L59
Vulnerability details
Impact
The slashing mechanism in the Vault contract may fail or behave inconsistently when handling certain ERC20 tokens on chains with non-standard token implementations, such as Blast.
Proof of Concept
According to ReadMe,
ERC20 token behaviors in scope
WETH is a type of ERC-20.
Also, it's explicitly stated that the protocol will be deployed on the Blast chain too. However, if we look at the
handleSlashing
function ofSlashingHandler.sol
contract,The token transfer is done using the safeTransferFrom method. This works fine on most chains (Ethereum, Optimism, Polygon, BSC) which use the standard WETH9 contract that handles the case src == msg.sender:
WETH9.sol
The problem is that the WETH implementation on Blast uses a different contract, and does not have this
src == msg.sender handling
.Also, the issue is presented in Wrapped Arbitrum and Wrapped Fantom.
Setup a foundry environment, get an Arbitrum RPC endpoint url and run the following command:
forge test --match-test testTransferFromIssue --fork-url {YOUR_RPC}
. This will revert with a ERC20: transfer amount exceeds allowance error, because of the issue described above.Tools used
manual review
Recommended Mitigation Steps
Modify
handleSlashing
inslashinghandler.sol
as follows:Assessed type
ERC20