Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Return values of ERC20 transfer and transferFrom are unchecked #112

Open
code423n4 opened this issue Jun 24, 2021 · 2 comments
Open

Return values of ERC20 transfer and transferFrom are unchecked #112

code423n4 opened this issue Jun 24, 2021 · 2 comments
Assignees
@kamescg
Labels
2 (Med Risk) BadgerYieldSource bug Something isn't working sponsor confirmed SushiYieldSource

Comments

@code423n4
Copy link
Contributor

Handle

shw

Vulnerability details

Impact

In the contracts BadgerYieldSource and SushiYieldSource, the return values of ERC20 transfer and transferFrom are not checked to be true, which could be false if the transferred tokens are not ERC20-compliant (e.g., BADGER). In that case, the transfer fails without being noticed by the calling contract.

Proof of Concept

If warden's understanding of the BadgerYieldSource is correct, the badger variable should be the BADGER token at address 0x3472a5a71965499acd81997a54bba8d852c6e53d. However, this implementation of BADGER is not ERC20-compliant, which returns false when the sender does not have enough token to transfer (both for transfer and transferFrom). See the source code on Etherscan (at line 226) for more details.

Referenced code:
BadgerYieldSource.sol#L44
BadgerYieldSource.sol#L79
SushiYieldSource.sol#L48
SushiYieldSource.sol#L89

Recommended Mitigation Steps

Use the SafeERC20 library implementation from Openzeppelin and call safeTransfer or safeTransferFrom when transferring ERC20 tokens.
@code423n4 code423n4 added 1 (Low Risk) bug Something isn't working labels Jun 24, 2021
code423n4 added a commit that referenced this issue Jun 24, 2021
@code423n4
shw issue #112
b2e08b6
This was referenced Jun 24, 2021
Closed
Closed
Closed
Closed
Closed
@kamescg kamescg self-assigned this Jun 28, 2021
This was referenced Jun 28, 2021
Merged
Merged
@kamescg
Copy link
Collaborator

kamescg commented Jun 28, 2021

Sushi

Badger

This was referenced Jul 12, 2021
Merged
Merged
@dmvt
Copy link
Collaborator

dmvt commented Jul 31, 2021

Sponsor has repeatedly stated in duplicate issues that: "It's more of a 1 (Low Risk) because the subsequent deposit calls will fail. There is no advantage to be gained; the logic is simply poor."

I disagree with this assessment. The function(s) in question do not immediately call deposit or another function that would cause a revert. In fact the balances are updated:

        balances[msg.sender] = balances[msg.sender].sub(requiredSharesBalance);
        badger.transfer(msg.sender, badgerBalanceDiff);
        return (badgerBalanceDiff);

The impact that this would have on the rest of the system is substantial, including causing incorrect balances to be returned and potentially lost funds.

That said, I do not think this is very likely and so high severity seems excessive here. Im adjusting all of these reports to Medium Risk given that lower likelihood.

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees

@kamescg kamescg

Labels
2 (Med Risk) BadgerYieldSource bug Something isn't working sponsor confirmed SushiYieldSource
Projects
None yet
Milestone
No milestone
Development

No branches or pull requests
5 participants
@dmvt @PierrickGT @kamescg @asselstine @code423n4