sherlock-admin2
commented
1 year ago 2 comment(s) were left on this issue during the judging contest.
panprog commented:
low, because it's admin mistake to set reward rate long before setting the reward token or set invalid reward token address
MohammedRizwan commented:
invalid issue as rewardToken will be set by timelock governor
Stoicov
false
Solmate's safeTransferLib does not check if a token address has associated code with it, which may cause loss of funds.
Summary
The lack of contract existence check upon a transfer can lead to messed accounting and loss of funds.
Vulnerability Detail
There is a key difference between the implementations of OZ's
safeERC20and Solmate'ssafeTransferLib. The latter does not check if thetokenaddress has associated code with it. This responsibility is delegated to the caller as stated in the NatSpec documentation of Solmate'ssafeTransferLib. This can mess up the accounting due to the fact thatsafeTransferandsafeTransferFromwon't revert if a non-existent token is passed. Consider the following:The
GOVERNORhas the ability to setrewardsTokeninFactory. Because of the following checkaddress(rewardsToken) == address(0));it is made clear that thistokencan be set only once. There are no checks implemented if thetokenaddress actually contains code so what can happen is that theGOVERNOR, either by mistake or willingly, can setrewardsTokento an address that has no code within it. This will DOS the protocol because as mentioned aboverewardsTokencan be set only once and although it is not actually atokentransfers will succeed but notokensare being transferred in reality.Impact
Lenders have no incentive to give loans.
Code Snippet
https://github.com/sherlock-audit/2023-10-aloe/blob/main/aloe-ii/core/src/Factory.sol#L272-L274
Tool used
Manual Review
Recommendation
Prior to
safeTransferorsafeTransferFromadd code existence checks. Also check the balance before thetransferand after to ensure tokens are actually being transfered.Duplicate of #82