import {TokenUtils} from "splits-utils/TokenUtils.sol";
This has special functions _balanceOf() and safeTransfer() which handles giving token balance and token transfer respectively by considering whether it(token) is a Native one(i.e ETH) or any Erc20.
But function passThroughTokens(address[] calldata tokens_) preform all functionality by considering that all tokens present in that function parameter are ERC20, So in case of Native (ETH) it will behave unusual as here token address will be a Zero address.
0xhacksmithh
medium
Wrong Implementation _balanceOf() & _safeTransfer() Functions In PassThroughWalletImpl.sol Contract File
Summary
passThroughTokens(address[] calldata tokens_)
will behave unusual when input tokens array content ETHVulnerability Detail
PassThroughWalletImpl.sol contract import
TokenUtils.sol
This has special functions
_balanceOf()
andsafeTransfer()
which handles giving token balance and token transfer respectively by considering whether it(token) is a Native one(i.e ETH) or any Erc20.But function
passThroughTokens(address[] calldata tokens_)
preform all functionality by considering that all tokens present in that function parameter are ERC20, So in case of Native (ETH) it will behave unusual as here token address will be a Zero address.Impact
Refer Vulnerability Detail section
Code Snippet
https://github.com/sherlock-audit/2023-04-splits/blob/main/splits-pass-through-wallet/src/PassThroughWalletImpl.sol#L120-L133
https://github.com/sherlock-audit/2023-04-splits/blob/main/splits-utils/src/TokenUtils.sol#L20-L27
Tool used
Manual Review
Recommendation
Try to implement TokenUtils.sol's internal function which is Imported