No check for return value with transferfrom
function could lead to incorrect assumptions
#170
Labels
bug
Something isn't working
downgraded by judge
Judge downgraded the risk level of this issue
duplicate-90
edited-by-warden
grade-b
QA (Quality Assurance)
Assets are not at risk. State handling, function incorrect as to spec, issues with clarity, syntax
satisfactory
satisfies C4 submission criteria; eligible for awards
sufficient quality report
This report is of sufficient quality
Lines of code
https://github.com/code-423n4/2023-10-ens/blob/ed25379c06e42c8218eb1e80e141412496950685/contracts/ERC20MultiDelegate.sol#L148
https://github.com/code-423n4/2023-10-ens/blob/ed25379c06e42c8218eb1e80e141412496950685/contracts/ERC20MultiDelegate.sol#L160
https://github.com/code-423n4/2023-10-ens/blob/ed25379c06e42c8218eb1e80e141412496950685/contracts/ERC20MultiDelegate.sol#L170
Vulnerability details
Bug Description
In
ERC20MultiDelegate
contract, the ERC20transferfrom
function is called if a user wishes to process a new delegation through_processDelegation
, get back his token and voting power with_reimburse
, or create a new delegation withcreateProxyDelegatorAndTransfer
.In case the ERC20 token used within
ERC20MultiDelegate
contract correctly reverts if any issue occurs during transfer, there won't be any problem related to that. But if an ERC20 token that doesn't properly revert in case of transfer failure is used in theERC20MultiDelegate
contract, this could lead to transactions being successful whiletransferfrom
didn't actually do any transfer. Therefore, a user could think his delegation changed while it didn't. As the sponsors told usERC20MultiDelegate
could be used for any ERC20 token, this might be something to consider.Impact
using
ERC20MultiDelegate
contract to delegate voting power of an ERC20 token that doesn't properly reverts in case of transfer failure would break individual assumptions, because transaction will be successful although delegation didn't change.Tools Used
Manual
Recommended Mitigation Steps
Using safe ERC20 or checking for return values could mitigate the risk involved by the issue.
Assessed type
Token-Transfer
The text was updated successfully, but these errors were encountered: