Closed sherlock-admin2 closed 7 months ago
3 comment(s) were left on this issue during the judging contest.
tsvetanovv commented:
Low
PNS commented:
User input validation: User input validation to prevent user mistakes is not considered a valid issue.
0xAadi commented:
Invalid: OOS, custom implementation tokens are OOS
itsabinashb
high
BaseGladiusReactor.sol::
_fill()
:There is no check for whether the token has code or notSummary
In
BaseGladiusReactor.sol::_fill()
SafeTransferLib
is using for ERC20, but the function does not have any check for whether the ERC20 token has any code or not, so an attacker can use a token which does not have any code i.e invalid token & as a result the token will be transfered but will not credited because there is no token exist at all.Vulnerability Detail
In
SafeTransferLib.sol
library a note is clearly mentioned:@dev Note that none of the functions in this library check that a token has code at all! That responsibility is delegated to the caller.
The
BaseGladiusReactor.sol
contract usingSafeTransferLib.sol
for ERC20 interactions:In
BaseGladiusReactor.sol::_fill()
has an external call ontoken
ofOutputToken[]
, this token is need to be received by recipient to satisfy an order. But this_fill()
does not have any check for whether thetoken
has any code or not. The external call is called toCurrencyLibrary.sol::transferFill()
, in this function thesafeTransferFrom()
is called to send the token to recipient, theCurrencyLibrary.sol
contract also usingSafeTransferLib
for ERC20. Unfortunately thistransferFill()
also does not have any check for token code.Impact
As Rubicon supports trading of any token which adheres to ERC20 standard and one can add a new token so an attacker can use a token which does not have any code i.e invalid token, so when
safeTransferFrom()
[SafeTransferLib.sol
dependant] is called on that token the token transfer will succeed with no error but the token will not be credited to recipient.Code Snippet
Tool used
Manual Review
Recommendation
Use OZ's
safeTransferFrom()
or put a check for whether the token has a code or not.