search

hats-finance / Convergence-Finance---IBO-0x0e410e7af8e70fc5bffcdbfbdf1673ee7b3d0777

IBO, Vesting & Bond mecanism repo prepared for Hat finance audit competition
0 stars 0 forks source link

Unsafe ERC20 Operation(s) #40

Open hats-bug-reporter[bot] opened 1 year ago

hats-bug-reporter[bot] commented 1 year ago

Github username: @goheesheng Submission hash (on-chain): 0x446cb46b124596ec6673fcbed77a2bd521e243ed528d34555d24b30885cfcb7e Severity: medium

Description: Description\ Unsafe ERC20 Operation(s)

Attack Scenario\ ERC20 operations can be unsafe due to different implementations and vulnerabilities in the standard.

It is therefore recommended to always either use OpenZeppelin's SafeERC20 library or at least to wrap each operation in a require statement.

To circumvent ERC20's approve functions race-condition vulnerability use OpenZeppelin's SafeERC20 library's safe{Increase|Decrease}Allowance functions.

Attachments

  1. Proof of Concept (PoC) File 
    ../hats-audit/contracts/PresaleVesting/Ibo.sol::213 => _bondParams.token.transferFrom(msg.sender, treasuryBonds, amountIn);
../hats-audit/contracts/PresaleVesting/VestingCvg.sol::246 => cvg.transfer(msg.sender, amountToRelease);
../hats-audit/contracts/PresaleVesting/VestingCvg.sol::267 => cvg.transfer(msg.sender, amountToRelease);
../hats-audit/contracts/PresaleVesting/VestingCvg.sol::288 => cvg.transfer(msg.sender, amountToRelease);
../hats-audit/contracts/PresaleVesting/VestingCvg.sol::311 => cvg.transfer(msg.sender, amountToRelease);
../hats-audit/contracts/PresaleVesting/VestingCvg.sol::405 => cvg.transfer(msg.sender, _amount);
shalbe-cvg commented 1 year ago

Hello, Thanks a lot for your attention.

We are aware of this and we won't take this into consideration as it is assumed on our side. In addition to that, we won't use any ERC20 that are not compatible with this standard on the IBO or the Vesting.

We have so to consider this issue as Invalid.