This repository has been archived by the owner on Nov 26, 2023. It is now read-only.
Piyushshukla - missing return check and also missing zero check of the recipient address #146
Comments
github-actions
bot
added
Medium
Sign up for free
to subscribe to this conversation on GitHub.
Already have an account?
Sign in.
Piyushshukla
medium
missing return check and also missing zero check of the recipient address
Summary
Some tokens do not revert on failure, but instead return false.
tranfser/transferfrom is directly used to send tokens in many places in the contract and the return value is not checked.
If the token send fails, it will cause a lot of serious problems.
in FootiumEscrow.sol found that is return check and aso missig the zero address in ERC20 token tranasfer
Vulnerability Detail
the missing return check can allow a transaction to be executed without verifying that the transaction was successful, which can result in a loss of funds for the user. In the case of token transfers
also there is missing zero check of the recipient address can lead to unintended transfers of tokens to the zero address
Impact
The issue is that the code doesn't use the safeTransferFrom() utility from SafeERC20.
Therefore, profitTokens that don't return a bool in transferFrom() will cause a revert which
means they are stuck in the contract.
Code Snippet
https://github.com/sherlock-audit/2023-04-footium/blob/main/footium-eth-shareable/contracts/FootiumEscrow.sol#LL105C1-L112C1
function transferERC20(
IERC20 erc20Contract,
address to,
uint256 amount
) external onlyClubOwner {
erc20Contract.transfer(to, amount);
}
Tool used
Manual Review
Recommendation
Recommend using OpenZeppelin's SafeERC20 versions with the safeTransfer and safeTransferFrom functions that handle the return value check as well as non-standard-compliant tokens.
Duplicate of #86
The text was updated successfully, but these errors were encountered: