search

sherlock-audit / 2023-06-Index-judging

6 stars 2 forks source link

qandisa - transfer() can fail silently, buyer does not receive send token. #74

Closed sherlock-admin2 closed 1 year ago

sherlock-admin2 commented 1 year ago

qandisa

medium

transfer() can fail silently, buyer does not receive send token.

Summary

_executeBid() uses strictInvokeTransfer() with uses a standard transfer() to transfer the send token to the bidder. If this is done on a token that fails silently the bid could be completed without the bidder receiving a token.

Vulnerability Detail

In _executeBid() 

        _bidInfo.setToken.strictInvokeTransfer(
            address(_bidInfo.sendToken),
            msg.sender,
            _bidInfo.quantitySentBySet
        )

where 

bytes memory callData = abi.encodeWithSignature("transfer(address,uint256)", _to, _quantity);

is used to invoke a call from the SetToken. This could fail silently and as a result the bidder does not receive the tokens that they paid for.

Impact

A bidder could complete a bid and pay without receiving the component/quoteAsset they should due to a silent failure off a transfer() call.

Code Snippet

https://github.com/sherlock-audit/2023-06-Index/blob/main/index-protocol/contracts/protocol/modules/v1/AuctionRebalanceModuleV1.sol#L948-L953

Tool used

Manual Review

Recommendation

Use SafeTransfer() from a audited library such as OpenZeppelin.