TokenSender
contract will not send anything even if it needs to
#235
Labels
2 (Med Risk)
Assets not at direct risk, but function/availability of the protocol could be impacted or leak value
bug
Something isn't working
duplicate-257
partial-50
Incomplete articulation of vulnerability; eligible for partial credit only (50%)
Lines of code
https://github.com/prepo-io/prepo-monorepo/blob/3541bc704ab185a969f300e96e2f744a572a3640/apps/smart-contracts/core/contracts/TokenSender.sol#L41
Vulnerability details
Impact
TokenSender
contract is used to reimburse user fees. But if the balance ofPPO
token inside the contract is low it can happen that the user don't get any token even if there is some to be sent.Proof of Concept
If the calculated token amount to send is more that is in the contract balance we simply don't send any
https://github.com/prepo-io/prepo-monorepo/blob/3541bc704ab185a969f300e96e2f744a572a3640/apps/smart-contracts/core/contracts/TokenSender.sol#L41
Tools Used
Manual review
Recommended Mitigation Steps
At least two options
return;
to signal that theTokenSender
contract is low on balance. Admin should tip the contract so repeating call will not failoutputAmount
and the token balance. Something like this:The text was updated successfully, but these errors were encountered: