search

sherlock-audit / 2023-02-bond-judging

2 stars 0 forks source link

tsvetanovv - ERC20 transfer zero amount can be reverted #54

Closed sherlock-admin closed 1 year ago

sherlock-admin commented 1 year ago

tsvetanovv

medium

ERC20 transfer zero amount can be reverted

Summary

Certain ERC-20 tokens do not support zero-value token transfers and revert. As ERC20 can be an arbitrary token, in the case when such token doesn't allow for zero amount transfers.

Vulnerability Detail

In addition to the code snippet below, you should also check the other places where there is a transfer.

Impact

This may break systems or burn tokens by transferring them to address(0).

Code Snippet

https://github.com/sherlock-audit/2023-02-bond/blob/main/bonds/src/bases/BondBaseCallback.sol#L150-L167

function withdraw(
        address to_,
        ERC20 token_,
        uint256 amount_
    ) external onlyOwner { 
        token_.safeTransfer(to_, amount_); 
        priorBalances[token_] = token_.balanceOf(address(this));
    }

function deposit(ERC20 token_, uint256 amount_) external onlyOwner {
        token_.safeTransferFrom(msg.sender, address(this), amount_); 
        priorBalances[token_] = token_.balanceOf(address(this));
    }

Tool used

Manual Review

Recommendation

Add a simple check for zero-value token transfers.

Oighty commented 1 year ago

BondBaseCallback is not in scope for this audit (see https://github.com/sherlock-audit/2023-02-bond#audit-scope).