Token transfers do not verify that the tokens were successfully transferred

mediumsherlock-audit/2022-11-buffer-judging

0xcc

medium

Summary

Some ERC20 tokens don’t throw but just return false when a transfer fails.

Vulnerability Detail

Some tokens (like zrx) do not revert the transaction when the transfer/transferfrom fails and return false, which requires us to check the return value after calling the transfer/transferfrom function.

Impact

This can be abused to trick the initiateTrade() function to initialize the trade without providing any tokens.

Code Snippet

https://github.com/bufferfinance/Buffer-Protocol-v2/blob/83d85d9b18f1a4d09c728adaa0dde4c37406dfed/contracts/core/BufferRouter.sol#L86

Tool used

Manual Review

Recommendation

Use SafeERC20’s safeTransfer/safeTransferFrom functions

OneBugPerDay.com

To all the whitehats, we salute you

Legal

Advertise with us Privacy Policy Terms of Service Cookie Policy Acceptable Use

Unsubscribe

Unsubscribe from all emails Confirm unsubscribe via code

Subscribe via form Confirm subscription via code Change your Preferences

Made by Alex The Entreprenerd Vulnerabilities database by TinTinWeb