search

sherlock-audit / 2023-04-splits-judging

4 stars 1 forks source link

0xhacksmithh - Wrong Implementation _balanceOf() & _safeTransfer() Functions In PassThroughWalletImpl.sol Contract File #126

Closed sherlock-admin closed 1 year ago

sherlock-admin commented 1 year ago

0xhacksmithh

medium

Wrong Implementation _balanceOf() & _safeTransfer() Functions In PassThroughWalletImpl.sol Contract File

Summary

passThroughTokens(address[] calldata tokens_) will behave unusual when input tokens array content ETH

Vulnerability Detail

PassThroughWalletImpl.sol contract import TokenUtils.sol

import {TokenUtils} from "splits-utils/TokenUtils.sol";

This has special functions _balanceOf() and safeTransfer() which handles giving token balance and token transfer respectively by considering whether it(token) is a Native one(i.e ETH) or any Erc20.

But function passThroughTokens(address[] calldata tokens_) preform all functionality by considering that all tokens present in that function parameter are ERC20, So in case of Native (ETH) it will behave unusual as here token address will be a Zero address.

    function passThroughTokens(address[] calldata tokens_) external pausable returns (uint256[] memory amounts) {
        address _passThrough = $passThrough;
        uint256 length = tokens_.length;
        amounts = new uint256[](length);
        for (uint256 i; i < length;) {
            address token = tokens_[i];
            uint256 amount = token._balanceOf(address(this)); // @audit-issue wrong implementation 
            _balanceOf(address token, address addr)
            amounts[i] = amount;
            token._safeTransfer(_passThrough, amount); // @audit-issue

            unchecked {
                ++i;
            }
        }

Impact

Refer Vulnerability Detail section

Code Snippet

https://github.com/sherlock-audit/2023-04-splits/blob/main/splits-pass-through-wallet/src/PassThroughWalletImpl.sol#L120-L133

https://github.com/sherlock-audit/2023-04-splits/blob/main/splits-utils/src/TokenUtils.sol#L20-L27

Tool used

Manual Review

Recommendation

Try to implement TokenUtils.sol's internal function which is Imported

    function passThroughTokens(address[] calldata tokens_) external pausable returns (uint256[] memory amounts) {
        address _passThrough = $passThrough;
        uint256 length = tokens_.length;
        amounts = new uint256[](length);
        for (uint256 i; i < length;) {
            address token = tokens_[i];
-           uint256 amount = token._balanceOf(address(this)); 
+          uint256 amount = _balanceOf(token, address(this)); 
            amounts[i] = amount;
-           token._safeTransfer(_passThrough, amount); 
-           _safeTransfer(token, _passThrough, amount); 

            unchecked {
                ++i;
            }
        }