Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

No check for return value with transferfrom function could lead to incorrect assumptions #170

Closed
c4-submissions opened this issue Oct 9, 2023 · 6 comments
Closed

No check for return value with transferfrom function could lead to incorrect assumptions #170

c4-submissions opened this issue Oct 9, 2023 · 6 comments
Labels
bug Something isn't working downgraded by judge Judge downgraded the risk level of this issue duplicate-90 edited-by-warden grade-b QA (Quality Assurance) Assets are not at risk. State handling, function incorrect as to spec, issues with clarity, syntax satisfactory satisfies C4 submission criteria; eligible for awards sufficient quality report This report is of sufficient quality

Comments

@c4-submissions
Copy link
Contributor

c4-submissions commented Oct 9, 2023
edited by code4rena-admin
Loading

Lines of code

https://github.com/code-423n4/2023-10-ens/blob/ed25379c06e42c8218eb1e80e141412496950685/contracts/ERC20MultiDelegate.sol#L148
https://github.com/code-423n4/2023-10-ens/blob/ed25379c06e42c8218eb1e80e141412496950685/contracts/ERC20MultiDelegate.sol#L160
https://github.com/code-423n4/2023-10-ens/blob/ed25379c06e42c8218eb1e80e141412496950685/contracts/ERC20MultiDelegate.sol#L170

Vulnerability details

Bug Description

In ERC20MultiDelegate contract, the ERC20 transferfrom function is called if a user wishes to process a new delegation through _processDelegation, get back his token and voting power with _reimburse, or create a new delegation with createProxyDelegatorAndTransfer.

In case the ERC20 token used within ERC20MultiDelegate contract correctly reverts if any issue occurs during transfer, there won't be any problem related to that. But if an ERC20 token that doesn't properly revert in case of transfer failure is used in the ERC20MultiDelegate contract, this could lead to transactions being successful while transferfrom didn't actually do any transfer. Therefore, a user could think his delegation changed while it didn't. As the sponsors told us ERC20MultiDelegate could be used for any ERC20 token, this might be something to consider.

Impact

using ERC20MultiDelegate contract to delegate voting power of an ERC20 token that doesn't properly reverts in case of transfer failure would break individual assumptions, because transaction will be successful although delegation didn't change.

Tools Used

Manual

Recommended Mitigation Steps

Using safe ERC20 or checking for return values could mitigate the risk involved by the issue.

Assessed type

Token-Transfer
@c4-submissions c4-submissions added 2 (Med Risk) Assets not at direct risk, but function/availability of the protocol could be impacted or leak value bug Something isn't working labels Oct 9, 2023
c4-submissions added a commit that referenced this issue Oct 9, 2023
@c4-submissions
Tadev issue #170
6f33672
@code4rena-admin code4rena-admin mentioned this issue Oct 12, 2023
Closed
@c4-pre-sort
Copy link

141345 marked the issue as duplicate of #91

@c4-pre-sort c4-pre-sort added duplicate-91 sufficient quality report This report is of sufficient quality labels Oct 12, 2023
@c4-pre-sort
Copy link

141345 marked the issue as sufficient quality report

@c4-judge
Copy link
Contributor

hansfriese marked the issue as satisfactory

@c4-judge c4-judge added the satisfactory satisfies C4 submission criteria; eligible for awards label Oct 24, 2023
@c4-judge
Copy link
Contributor

hansfriese marked the issue as duplicate of #90

@c4-judge c4-judge added duplicate-90 downgraded by judge Judge downgraded the risk level of this issue QA (Quality Assurance) Assets are not at risk. State handling, function incorrect as to spec, issues with clarity, syntax and removed duplicate-91 2 (Med Risk) Assets not at direct risk, but function/availability of the protocol could be impacted or leak value labels Oct 28, 2023
@c4-judge
Copy link
Contributor

hansfriese changed the severity to QA (Quality Assurance)

@c4-judge
Copy link
Contributor

hansfriese marked the issue as grade-b

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees
No one assigned
Labels
bug Something isn't working downgraded by judge Judge downgraded the risk level of this issue duplicate-90 edited-by-warden grade-b QA (Quality Assurance) Assets are not at risk. State handling, function incorrect as to spec, issues with clarity, syntax satisfactory satisfies C4 submission criteria; eligible for awards sufficient quality report This report is of sufficient quality
Projects
None yet
Milestone
No milestone
Development

No branches or pull requests
4 participants
@c4-judge @c4-pre-sort @c4-submissions @code4rena-admin