Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

PA1D._payoutTokens() won't work for USDT and other inconsistent ERC20 tokens. #441

Closed
code423n4 opened this issue Oct 25, 2022 · 1 comment
Closed

PA1D._payoutTokens() won't work for USDT and other inconsistent ERC20 tokens. #441

code423n4 opened this issue Oct 25, 2022 · 1 comment
Labels
2 (Med Risk) Assets not at direct risk, but function/availability of the protocol could be impacted or leak value bug Something isn't working duplicate This issue or pull request already exists responded The Holograph team has reviewed and responded sponsor confirmed Sponsor agrees this is a problem and intends to fix it (OK to use w/ "disagree with severity")

Comments

@code423n4
Copy link
Contributor

Lines of code

https://github.com/code-423n4/2022-10-holograph/blob/main/contracts/enforcer/PA1D.sol#L439

Vulnerability details

Impact

Some ERC20 tokens (USDT, BNB, OMG) do not return a boolean on succesful transfer. Checking the returned value of transfer for these tokens will always fail.

Proof of Concept

Usage of ERC20 interface and require statement in PA1D.sol.

https://github.com/code-423n4/2022-10-holograph/blob/main/contracts/enforcer/PA1D.sol#L439

Recommended Mitigation Steps

Implement a custom function to transfer tokens by checking if the contract exist and making a a low level call using the ERC20 interface selector. E.g.

function _safeTransfer(address token, address to, uint256 value) private {
    require(token.code.length > 0);
    (bool success, bytes memory data) =
    token.call(abi.encodeWithSelector(ERC20.transfer.selector, to, value));
    require(success && (data.length == 0 || abi.decode(data, (bool))));
}

Alternatively, use OpenZeppelin SafeERC20.
@code423n4 code423n4 added 2 (Med Risk) Assets not at direct risk, but function/availability of the protocol could be impacted or leak value bug Something isn't working labels Oct 25, 2022
code423n4 added a commit that referenced this issue Oct 25, 2022
@code423n4
brgltd issue #441
9038383
@gzeoneth
Copy link
Member

Duplicate of #456

@gzeoneth gzeoneth marked this as a duplicate of #456 Oct 30, 2022
@gzeoneth gzeoneth added the duplicate This issue or pull request already exists label Oct 30, 2022
@ACC01ADE ACC01ADE added sponsor confirmed Sponsor agrees this is a problem and intends to fix it (OK to use w/ "disagree with severity") responded The Holograph team has reviewed and responded labels Nov 9, 2022
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees
No one assigned
Labels
2 (Med Risk) Assets not at direct risk, but function/availability of the protocol could be impacted or leak value bug Something isn't working duplicate This issue or pull request already exists responded The Holograph team has reviewed and responded sponsor confirmed Sponsor agrees this is a problem and intends to fix it (OK to use w/ "disagree with severity")
Projects
None yet
Milestone
No milestone
Development

No branches or pull requests
3 participants
@ACC01ADE @code423n4 @gzeoneth