search

sherlock-audit / 2024-06-makerdao-endgame-judging

1 stars 1 forks source link

bareli - No check for transfer function. #100

Closed sherlock-admin2 closed 1 month ago

sherlock-admin2 commented 1 month ago

bareli

Medium

No check for transfer function.

Summary

we are using transfer for sending tokens but we are not checking whether its transferring or not.

Vulnerability Detail

dai.transferFrom(msg.sender, address(this), wad); nst.transferFrom(msg.sender, address(this), wad); GemLike(dai).transfer(address(pair), lot - _sell); GemLike(gem).transfer(address(pair), _buy); GemLike(dai).transfer(address(pair), lot); gov.transfer(msg.sender, wad); rewardsToken.transfer(to, amt);

Impact

transfer may fail.

Code Snippet

https://github.com/sherlock-audit/2024-06-makerdao-endgame/blob/main/nst/src/DaiNst.sol#L72C8-L72C58 https://github.com/sherlock-audit/2024-06-makerdao-endgame/blob/main/nst/src/DaiNst.sol#L79 https://github.com/sherlock-audit/2024-06-makerdao-endgam/blob/main/dss-flappers/src/FlapperUniV2.sol#L158C8-L159C52 https://github.com/sherlock-audit/2024-06-makerdao-endgam/blob/main/dss-flappers/src/FlapperUniV2SwapOnly.sol#L127C5-L127C51 https://github.com/sherlock-audit/2024-06-makerdao-endgame/blob/main/vote-delegate/src/VoteDelegate.sol#L99C8-L99C39 https://github.com/sherlock-audit/2024-06-makerdao-endgame/blob/main/lockstake/src/LockstakeUrn.sol#L78C9-L78C40

Tool used

Manual Review

Recommendation

check the return of transfer

sunbreak1211 commented 1 month ago

This was clearly stated in the scope, all the involved tokens are considered to revert on failure.