-
Notifications
You must be signed in to change notification settings - Fork 5
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
bin2chen - recover() using the standard transfer may not be able to retrieve some tokens #19
Comments
@jeffywu @T-Woodward Were there any publicly available information stating USDT won't be use as a potential reward tokens at the point of the contest? |
You've deleted an escalation for this issue. |
"Non-Standard tokens: Issues related to tokens with non-standard behaviors, such as weird-tokens are not considered valid by default unless these tokens are explicitly mentioned in the README" contest readme::
|
Escalate This is indeed a valid issue since the non-standard behavior of USDT is not acceptable to protocol team and it is explicitly mentioned in contest readme. Further, comment by @AuditorPraise is correct and enough for the validation of this issue. |
You've created a valid escalation! To remove the escalation from consideration: Delete your comment. You may delete or edit your escalation comment anytime before the 48-hour escalation window closes. After that, the escalation becomes final. |
IMO In my opinion, the issue with As mentioned in sherlock rules: |
The issue isn't about Funds could be stuck So why should it be an informational now? You can't compare chain Id issue to USDT being stuck in a contract as a result of the devs not using safeTransfer. |
@Hash01011122 You are circling too much around sherlock rules, and should look at it more factually instead of subjectively. In the contest details/code logic/documentation, no place does it mention that USDT cannot be a reward token, so I believe your argument is basically invalid. I believe no further discussions is required from my side, imo, this should remain medium severity. |
Result: |
Escalations have been resolved successfully! Escalation status:
|
The protocol team fixed this issue in PR/commit notional-finance/contracts-v3#28. |
The Lead Senior Watson signed-off on the fix. |
bin2chen
medium
recover() using the standard transfer may not be able to retrieve some tokens
Summary
in
SecondaryRewarder.recover()
Using the standard
IERC20.transfer()
If
REWARD_TOKEN
is likeUSDT
, it will not be able to transfer out, because this kind oftoken
does not returnbool
This will cause it to always
revert
Vulnerability Detail
SecondaryRewarder.recover()
use forUsing the standard
IERC20.transfer()
method to execute the transferA
token
of a type similar toUSDT
has no return valueThis will cause the execution of the transfer to always fail
Impact
If
REWARD_TOKEN
is likeUSDT
, it will not be able to transfer out.Code Snippet
https://github.com/sherlock-audit/2023-12-notional-update-5/blob/main/contracts-v3/contracts/external/adapters/SecondaryRewarder.sol#L152C3-L159
Tool used
Manual Review
Recommendation
The text was updated successfully, but these errors were encountered: