Description:Description\
The transfer function is designed to handle token transfers between addresses in a Solidity smart contract. It should ensure that transfers only occur when the amount to be transferred is non-zero and the sender is not transferring tokens to themselves.
The current implementation of the condition in the transfer function is incorrect. The condition if (amount != 0 || msg.sender == to) is intended to prevent transfers when the amount is zero and when the sender is transferring tokens to themselves. However, this logic is flawed. Specifically, the condition allows the function to proceed even if the amount is zero, provided that msg.sender is equal to to, which is not the intended behavior.
Attack Scenario\
An attacker or user can exploit this vulnerability by calling the transfer function with an amount of zero while setting to to be the same as msg.sender. This would allow the function to proceed, potentially executing unintended transfer logic even though no actual transfer should occur.
function transfer(address to, uint256 amount) external virtual returns (bool) {
// If `amount` is 0, or `msg.sender` is `to` nothing happens
if (amount != 0 || msg.sender != to) {
uint256 srcBalance = balanceOf[msg.sender];
require(srcBalance >= amount, "ERC20: balance too low");
if (msg.sender != to) {
require(to != address(0), "ERC20: no zero address"); // Moved down so low balance calls safe some gas
balanceOf[msg.sender] = srcBalance - amount; // Underflow is checked
balanceOf[to] += amount;
}
}
emit Transfer(msg.sender, to, amount);
return true;
}
Github username: @Jelev123 Twitter username: zhulien_zhelev Submission hash (on-chain): 0x69d11623cf0dd5ca8c72d944b503f95b0fca35850eaaa3f3ab8f19de80e93184 Severity: medium
Description: Description\ The transfer function is designed to handle token transfers between addresses in a Solidity smart contract. It should ensure that transfers only occur when the amount to be transferred is non-zero and the sender is not transferring tokens to themselves.
The current implementation of the condition in the
transfer
function is incorrect. The condition if(amount != 0 || msg.sender == to)
is intended to prevent transfers when the amount is zero and when the sender is transferring tokens to themselves. However, this logic is flawed. Specifically, the condition allows the function to proceed even if the amount is zero, provided thatmsg.sender
is equal toto
, which is not the intended behavior.Attack Scenario\
An attacker or user can exploit this vulnerability by calling the transfer function with an amount of zero while setting to to be the same as msg.sender. This would allow the function to proceed, potentially executing unintended transfer logic even though no actual transfer should occur.
transfer
Recommendation to fix