search

sherlock-audit / 2023-05-ironbank-judging

2 stars 2 forks source link

cuthalion0x - Zero-value transfers of `IBToken` prohibited #302

Closed sherlock-admin closed 1 year ago

sherlock-admin commented 1 year ago

cuthalion0x

medium

Zero-value transfers of IBToken prohibited

Summary

IBToken prohibits zero-value transfers, which breaks compliance with EIP-20.

Vulnerability Detail

IBToken should comply with EIP-20 to maximize compatibility with existing DeFi applications. EIP-20 expressly states:

Note Transfers of 0 values MUST be treated as normal transfers and fire the Transfer event.

The IBToken transfer logic, encapsulated within IronBank#_transferIBToken(), prohibits zero-value transfers, thereby violating the ERC20 token standard.

Impact

Failure to comply with EIP-20 could present composability issues for IBToken, as many other smart contracts may not protect against the zero-value case.

Code Snippet

https://github.com/sherlock-audit/2023-05-ironbank/blob/main/ib-v2/src/protocol/pool/IronBank.sol#L872

Tool used

Manual Review

Recommendation

Remove the zero-value transfer restriction from IronBank#_transferIBToken().

cuthalion0x commented 1 year ago

Escalate for 10 USDC

Although it is not explicitly required that the IBToken comply with EIP-20, the sponsor made clear that they want PToken to comply with EIP-20. This implies that the sponsor is mindful of EIP-20 compliance in general and would like to know about this non-compliance. From the contest description:

Q: Is the code/contract expected to comply with any EIPs? Are there specific assumptions around adhering to those EIPs that Watsons should be aware of?

FlashLoan.sol should comply EIP3156 PToken should comply EIP20

In general, lending protocols often seek external integration with other DeFi protocols via composability. Non-compliance with EIP-20 can harm composability and hamper opportunities for broader adoption of the Iron Bank protocol. At the very least, the sponsor should be made aware of this finding, even if it is not ultimately rewarded.

sherlock-admin commented 1 year ago

Escalate for 10 USDC

Although it is not explicitly required that the IBToken comply with EIP-20, the sponsor made clear that they want PToken to comply with EIP-20. This implies that the sponsor is mindful of EIP-20 compliance in general and would like to know about this non-compliance. From the contest description:

Q: Is the code/contract expected to comply with any EIPs? Are there specific assumptions around adhering to those EIPs that Watsons should be aware of?

FlashLoan.sol should comply EIP3156 PToken should comply EIP20

In general, lending protocols often seek external integration with other DeFi protocols via composability. Non-compliance with EIP-20 can harm composability and hamper opportunities for broader adoption of the Iron Bank protocol. At the very least, the sponsor should be made aware of this finding, even if it is not ultimately rewarded.

You've created a valid escalation for 10 USDC!

To remove the escalation from consideration: Delete your comment.

You may delete or edit your escalation comment anytime before the 48-hour escalation window closes. After that, the escalation becomes final.

0xffff11 commented 1 year ago

Thanks for the report. There is no real impact provided. Deviations from an eip that has no impact are a low. Low

hrishibhat commented 1 year ago

Result: Low Unique Considering this issue a low based on the impact shown in the issue and the escalation comments

sherlock-admin commented 1 year ago

Escalations have been resolved successfully!

Escalation status: