Unexpected functionality: no transfers while transfer should happen, deploying vault with non-existing tokens. Note: will examine impact more thoroughly after the submission
Description
The Catalyst codebase uses Solmate's SafeTransferLib for transferring ERC20 tokens across the catalystdao/catalyst codebase. However the codebase does not check if the provided token addresses do really exist or not. The difference between openzeppelin's SafeERC20 and Solmate's SafeTransferLib is: while Openzeppelin checks if the token is a contract, Solmate does not.
File: CatalystVaultCommon.sol
384: ERC20(asset).safeTransfer(governanceFeeDestination(), governanceFeeAmount);
530: ERC20(escrowToken).safeTransfer(fallbackAddress, escrowAmount); // Would fail if there is no balance. To protect against this, the escrow amount should be removed from what can be claimed by users.
690: ERC20(escrowToken).safeTransfer(refundTo, escrowAmount);
File: router/libraries/Payments.sol
33: ERC20(token).safeTransfer(recipient, value);
52: ERC20(token).safeTransfer(recipient, amount);
69: if (balance > 0) ERC20(token).safeTransfer(recipient, balance);
107: ERC20(token).safeTransferFrom(from, to, amount);
Recommendation
Consider using either OpenZeppelin's SafeERC20 instead of SafeTransferLib or adding additional checks to verify that indeed the provided token address is a valid contract.
Github username: @0xfuje Twitter username: 0xfuje Submission hash (on-chain): 0xc97a42dc381fd37f8049aa8f6a012b7d1dac46bd08d3517355d661f69158fb31 Severity: medium
Description:
Impact
Unexpected functionality: no transfers while transfer should happen, deploying vault with non-existing tokens. Note: will examine impact more thoroughly after the submission
Description
The Catalyst codebase uses Solmate's SafeTransferLib for transferring ERC20 tokens across the
catalystdao/catalyst
codebase. However the codebase does not check if the provided token addresses do really exist or not. The difference between openzeppelin'sSafeERC20
and Solmate'sSafeTransferLib
is: while Openzeppelin checks if the token is a contract, Solmate does not.solmate/src/utils/SafeTransferLib.sol
Instances
Recommendation
Consider using either OpenZeppelin's
SafeERC20
instead ofSafeTransferLib
or adding additional checks to verify that indeed the provided token address is a valid contract.