Oxhunter526 - Zero transaction Status Verification After Fund Transfer

[sherlock-admin]

Oxhunter526

medium

Zero transaction Status Verification After Fund Transfer

Summary

The contract contains a vulnerability related to the absence of verification for the success or failure of a fund transfer operation. This vulnerability can lead to potential issues when transferring funds, such as not handling failed transfers correctly.

Vulnerability Detail

In the contract's liquidate function, the code contains a transfer of funds to the callee address, but it lacks proper verification of the transaction status:

payable(callee).transfer(address(this).balance / strain);

The transfer function sends Ether from the contract's balance to the callee address. However, it does not check whether the transfer was successful or if there was an exception (e.g., due to an out-of-gas error). Without this verification, there is no assurance that the funds were received by callee.

Impact

If the transfer fails due to unforeseen circumstances, such as running out of gas, the contract will not be aware of this failure. As a result, funds could be lost, and the contract's state may become inconsistent.

Code Snippet

(https://github.com/sherlock-audit/2023-10-aloe/blob/main/aloe-ii/core/src/Borrower.sol#L283)

Tool used

Manual Review

Recommendation

It's essential to check for the success or failure of the transfer. If the transfer fails, it can lead to a loss of funds or, in the case of liquidation, a lack of incentive for the liquidator.

(bool success, ) = payable(callee).call{value: incentiveAmount}("");
require(success, "Transfer failed");

[sherlock-admin2]

3 comment(s) were left on this issue during the judging contest.

panprog commented:

invalid, transaction will revert if it cannot pay

tsvetanovv commented:

Here we send ETH

MohammedRizwan commented:

invalid issue