sherlock-admin3
commented
4 months ago 1 comment(s) were left on this issue during the judging contest.
z3s commented:
Invalid; SafeERC20 It's a helper to make safe the interaction with someone else's ERC20 token, It's okay here.
0xrobsol
medium
Transfer and Flash Loan Repayment Safety Issue
Summary
The function responsible for transferring yield tokens (YT) and repaying a flash loan in the smart contract may introduce risk due to the unsafe use of the transfer method. This method does not guarantee that the transaction will fail gracefully, potentially leading to unhandled exceptions or loss of funds if the transfer fails. There is also a lot more places that is using transfer.
Vulnerability Detail
In the smart contract code, the transfer method is used to move YT tokens to a recipient and to repay a flash loan with WETH tokens. This method, inherently, does not throw an error if the transfer fails, instead it returns a boolean value. The current implementation does not check this return value, which could result in silent failures where the contract believes the operation was successful even if it was not.
Impact
The primary risk involves the potential loss of funds or the failure to properly repay debts, particularly in scenarios involving flash loans. This oversight may lead to financial discrepancies within the smart contract's operations, affecting trust and reliability.
Code Snippet
https://github.com/sherlock-audit/2024-05-napier-update/blob/main/metapool-router/src/MetapoolRouter.sol#L344
https://github.com/sherlock-audit/2024-05-napier-update/blob/main/metapool-router/src/MetapoolRouter.sol#L341
Tool used
Manual Review
Recommendation
Consider using the safeTransfer method from OpenZeppelin's library, which includes error handling by default, enhancing the security of token transfers