morpho-org · MerlinEgalite · Dec 5, 2023 · Dec 5, 2023 · Dec 5, 2023
diff --git a/src/libraries/ErrorsLib.sol b/src/libraries/ErrorsLib.sol
@@ -27,6 +27,9 @@ library ErrorsLib {
     /// @notice Thrown when the market is already created.
     string internal constant MARKET_ALREADY_CREATED = "market already created";
 
+    /// @notice Thrown when a token to transfer doesn't have code.
+    string internal constant NO_CODE = "no code";
+
     /// @notice Thrown when the market is not created.
     string internal constant MARKET_NOT_CREATED = "market not created";
 

diff --git a/src/libraries/SafeTransferLib.sol b/src/libraries/SafeTransferLib.sol
@@ -15,18 +15,19 @@ interface IERC20Internal {
 /// @custom:contact security@morpho.org
 /// @notice Library to manage transfers of tokens, even if calls to the transfer or transferFrom functions are not
 /// returning a boolean.
-/// @dev It is the responsibility of the market creator to make sure that the address of the token has non-zero code.
 library SafeTransferLib {
-    /// @dev Warning: It does not revert on `token` with no code.
     function safeTransfer(IERC20 token, address to, uint256 value) internal {
+        require(address(token).code.length > 0, ErrorsLib.NO_CODE);
+
         (bool success, bytes memory returndata) =
             address(token).call(abi.encodeCall(IERC20Internal.transfer, (to, value)));
         require(success, ErrorsLib.TRANSFER_REVERTED);
         require(returndata.length == 0 || abi.decode(returndata, (bool)), ErrorsLib.TRANSFER_RETURNED_FALSE);
     }
 
-    /// @dev Warning: It does not revert on `token` with no code.
     function safeTransferFrom(IERC20 token, address from, address to, uint256 value) internal {
+        require(address(token).code.length > 0, ErrorsLib.NO_CODE);
+
         (bool success, bytes memory returndata) =
             address(token).call(abi.encodeCall(IERC20Internal.transferFrom, (from, to, value)));
         require(success, ErrorsLib.TRANSFER_FROM_REVERTED);

diff --git a/test/forge/integration/SupplyCollateralIntegrationTest.sol b/test/forge/integration/SupplyCollateralIntegrationTest.sol
@@ -28,6 +28,18 @@ contract SupplyCollateralIntegrationTest is BaseTest {
         morpho.supplyCollateral(marketParams, amount, address(0), hex"");
     }
 
+    function testSupplyCollateralTokenNotCreated(uint256 amount, address token) public {
+        amount = bound(amount, 1, MAX_TEST_AMOUNT);
+
+        vm.assume(token.code.length == 0);
+
+        marketParams.collateralToken = token;
+        morpho.createMarket(marketParams);
+
+        vm.expectRevert(bytes(ErrorsLib.NO_CODE));
+        morpho.supplyCollateral(marketParams, amount, ONBEHALF, hex"");
+    }
+
     function testSupplyCollateral(uint256 amount) public {
         amount = bound(amount, 1, MAX_COLLATERAL_ASSETS);
 

diff --git a/test/forge/integration/SupplyIntegrationTest.sol b/test/forge/integration/SupplyIntegrationTest.sol
@@ -41,6 +41,18 @@ contract SupplyIntegrationTest is BaseTest {
         morpho.supply(marketParams, amount, shares, address(0), hex"");
     }
 
+    function testSupplyTokenNotCreated(uint256 amount, address token) public {
+        amount = bound(amount, 1, MAX_TEST_AMOUNT);
+
+        vm.assume(token.code.length == 0);
+
+        marketParams.loanToken = token;
+        morpho.createMarket(marketParams);
+
+        vm.expectRevert(bytes(ErrorsLib.NO_CODE));
+        morpho.supply(marketParams, amount, 0, ONBEHALF, hex"");
+    }
+
     function testSupplyAssets(uint256 amount) public {
         amount = bound(amount, 1, MAX_TEST_AMOUNT);
 

diff --git a/test/forge/libraries/SafeTransferLibTest.sol b/test/forge/libraries/SafeTransferLibTest.sol
@@ -85,6 +85,20 @@ contract SafeTransferLibTest is Test {
         this.safeTransferFrom(address(tokenWithBooleanAlwaysFalse), from, to, amount);
     }
 
+    function testSafeTransferTokenNotCreated(address token, address to, uint256 amount) public {
+        vm.assume(token.code.length == 0);
+
+        vm.expectRevert(bytes(ErrorsLib.NO_CODE));
+        this.safeTransfer(token, to, amount);
+    }
+
+    function testSafeTransferFromTokenNotCreated(address token, address from, address to, uint256 amount) public {
+        vm.assume(token.code.length == 0);
+
+        vm.expectRevert(bytes(ErrorsLib.NO_CODE));
+        this.safeTransferFrom(token, from, to, amount);
+    }
+
     function safeTransfer(address token, address to, uint256 amount) external {
         IERC20(token).safeTransfer(to, amount);
     }