search

sherlock-audit / 2023-02-surge-judging

4 stars 1 forks source link

tsvetanovv - ERC20 transfer zero amount can be reverted #266

Closed github-actions[bot] closed 1 year ago

github-actions[bot] commented 1 year ago

tsvetanovv

medium

ERC20 transfer zero amount can be reverted

Summary

Certain ERC-20 tokens do not support zero-value token transfers and revert. As ERC20 can be an arbitrary token, in the case when such token doesn't allow for zero amount transfers.

Vulnerability Detail

See summary

Impact

This may break systems or burn tokens by transferring them to address(0).

Code Snippet

https://github.com/sherlock-audit/2023-02-surge/blob/main/surge-protocol-v1/src/Pool.sol#L19

342: safeTransferFrom(LOAN_TOKEN, msg.sender, address(this), amount);
388: safeTransfer(LOAN_TOKEN, msg.sender, amount);
396: safeTransferFrom(COLLATERAL_TOKEN, msg.sender, address(this), amount);
450: safeTransfer(COLLATERAL_TOKEN, msg.sender, amount);
497: safeTransfer(LOAN_TOKEN, msg.sender, amount);
546: safeTransferFrom(LOAN_TOKEN, msg.sender, address(this), amount);
607: safeTransferFrom(LOAN_TOKEN, msg.sender, address(this), _amount);
608: safeTransfer(COLLATERAL_TOKEN, msg.sender, collateralReward);

Tool used

Manual Review

Recommendation

Add a simple check for zero-value token transfers.