search

sherlock-audit / 2023-12-avail-judging

4 stars 4 forks source link

DenTonylifer - Lack of balance check #105

Closed sherlock-admin closed 8 months ago

sherlock-admin commented 8 months ago

DenTonylifer

medium

Lack of balance check

Summary

Lack of balance check when sending WAVAIL.

Vulnerability Detail

In the "sendAVAIL" function, there is insufficient validation of the entered amount of tokens for sending. To receive tokens on another chain, they must first be burned on this chain. If the amount of tokens to burn is greater than the user's balance, the transaction will unexpectedly revert. It also refers to "sendERC20" function.

Impact

Unexpected revert when sending WAVAIL or other erc20.

Code Snippet

https://github.com/sherlock-audit/2023-12-avail/blob/main/contracts/src/AvailBridge.sol#L348 https://github.com/sherlock-audit/2023-12-avail/blob/main/contracts/src/AvailBridge.sol#L410

//function sendAVAIL
avail.burn(msg.sender, amount);
//function sendERC20
IERC20(token).safeTransferFrom(msg.sender, address(this), amount);

Tool used

Manual Review

Recommendation

Recommended to check if there is enough WAVAIL or other erc20 on the user's balance to burn or send

//for function sendAVAIL
require(avail.balanceOf(msg.sender) >= amount, 'Insufficient balance of WAVAIL!');
//for function sendERC20
require(IERC20(token).balanceOf(msg.sender) >= amount, 'Insufficient balance of WAVAIL!');
sherlock-admin commented 8 months ago

1 comment(s) were left on this issue during the judging contest.

takarez commented:

invalid because { invalid: no impact}