TokenSender contract will not send anything even if it needs to

[code423n4]

Lines of code

https://github.com/prepo-io/prepo-monorepo/blob/3541bc704ab185a969f300e96e2f744a572a3640/apps/smart-contracts/core/contracts/TokenSender.sol#L41

Vulnerability details

Impact

TokenSender contract is used to reimburse user fees. But if the balance of PPO token inside the contract is low it can happen that the user don't get any token even if there is some to be sent.

Proof of Concept

If the calculated token amount to send is more that is in the contract balance we simply don't send any

https://github.com/prepo-io/prepo-monorepo/blob/3541bc704ab185a969f300e96e2f744a572a3640/apps/smart-contracts/core/contracts/TokenSender.sol#L41

Tools Used

Manual review

Recommended Mitigation Steps

At least two options

• revert instead of just return; to signal that the TokenSender contract is low on balance. Admin should tip the contract so repeating call will not fail
• return the difference of outputAmount and the token balance. Something like this:

    if (outputAmount == 0) return;
-   if (outputAmount > _outputToken.balanceOf(address(this))) return;
+    if (_outputToken.balanceOf(address(this) == 0) revert("need token refill"); // OR just return 0 but then the problem remains
+   if (outputAmount > _outputToken.balanceOf(address(this)))  {
+       outputAmount -= _outputToken.balanceOf(address(this); //send what you can      
+   }

    _outputToken.transfer(recipient, outputAmount);

[c4-judge]

Picodes marked the issue as duplicate of #257

[c4-judge]

Picodes marked the issue as partial-50

[Picodes]

The impact does not explain why in this context this is an issue. As the rebate is optional the described behavior could make sense, so the explanation needs to be more detailed.