0x996 - If the withdrawal account is not the caller itself, the `ChilizWrappedERC20::withdrawTo` function will encounter issues with incorrect token amount transfer. #221
If the withdrawal account is not the caller itself, the ChilizWrappedERC20::withdrawTo function will encounter issues with incorrect token amount transfer.
Summary:
If the withdrawal account is not the caller itself, the ChilizWrappedERC20::withdrawTo function will transfer the token amount by subtracting the burnt amount from the withdrawal amount from the caller's account to the withdrawal account. However, this is problematic because only the actual unwrapped amount unwrapAmount needs to be transferred directly, without subtracting the burnt amount burntAmount of tokens. Otherwise, incorrect token transfer issues may occur.
Vulnerability Detail
If the withdrawal account is not the caller itself, asset transfer operation is executed, transferring the token amount of the withdrawal minus the burnt amount from the caller's account to the withdrawal account. _transfer(msgSender, account, amount - burntAmount);
When we substitute numerical values for calculation testing, we find that the final result is: amount = burntAmount. This will lead to incorrect token transfer issues in _transfer(msgSender, account, amount - burntAmount);.
Impact
If the withdrawal account is not the caller itself, it will lead to incorrect token transfer issues.
Invalid, there is no issue presented here. If the account has insufficient balance to transfer to approved caller withdrawing, it should revert accordingly
0x996
medium
If the withdrawal account is not the caller itself, the
ChilizWrappedERC20::withdrawTo
function will encounter issues with incorrect token amount transfer.Summary:
If the withdrawal account is not the caller itself, the
ChilizWrappedERC20::withdrawTo
function will transfer the token amount by subtracting the burnt amount from the withdrawal amount from the caller's account to the withdrawal account. However, this is problematic because only the actual unwrapped amountunwrapAmount
needs to be transferred directly, without subtracting the burnt amountburntAmount
of tokens. Otherwise, incorrect token transfer issues may occur.Vulnerability Detail
_transfer(msgSender, account, amount - burntAmount);
uint256 unwrapAmount = amount / decimalsOffset;
anduint256 burntAmount = unwrapAmount * decimalsOffset;
.amount = burntAmount
. This will lead to incorrect token transfer issues in_transfer(msgSender, account, amount - burntAmount);
.Impact
If the withdrawal account is not the caller itself, it will lead to incorrect token transfer issues.
Code Snippet:
https://github.com/sherlock-audit/2024-02-jala-swap/blob/main/jalaswap-dex-contract/contracts/utils/ChilizWrappedERC20.sol#L45-L55
Tool used
Manual Review
Recommendation:
Suggest changing
amount - burntAmount
tounwrapAmount
.