_payoutToken[s]() is not compatible with ERC20-tokens which revert on zero value transfer
#454
Labels
2 (Med Risk)
Assets not at direct risk, but function/availability of the protocol could be impacted or leak value
bug
Something isn't working
disagree with severity
Sponsor confirms validity, but disagrees with warden’s risk assessment (sponsor explain in comments)
duplicate
This issue or pull request already exists
flag for judge
Judge should review this issue
responded
The Holograph team has reviewed and responded
sponsor confirmed
Sponsor agrees this is a problem and intends to fix it (OK to use w/ "disagree with severity")
Comments
code423n4
added
2 (Med Risk)
gzeoneth
added
the
disagree with severity
|
can be checked offchain, risk is relatively low |
|
Low severity. We can add a check just in case |
alexanderattar
added
sponsor confirmed
|
Duplicate of #456 |
While not exactly a duplicate, I agree to consolidate all issue regarding ERC20 incompatibility into 1 Med risk issue. |
15 tasks
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
Lines of code
https://github.com/code-423n4/2022-10-holograph/blob/f8c2eae866280a1acfdc8a8352401ed031be1373/src/enforcer/PA1D.sol#L317
https://github.com/code-423n4/2022-10-holograph/blob/f8c2eae866280a1acfdc8a8352401ed031be1373/src/enforcer/PA1D.sol#L340
Vulnerability details
Impact
Payout is blocked.
Proof of Concept
PA1D._payoutToken()andPA1D._payoutTokens()callERC20.transfer()to send tokens to a list of payout recipients.Some tokens (e.g. LEND) revert when transferring a zero value amount. If one of the recipients is to receive a zero amount of such a token, then the entire transaction will revert and the payout cannot be made.
Tools Used
Code inspection
Recommended Mitigation Steps
Only attempt to transfer to a recipient if the amount (
sending) is greater than zero.The text was updated successfully, but these errors were encountered: