the operation is not properly secured, and there are no checks to ensure the sender is authorized to perform this action or validate if the transferred funds were staked or deposited as required.
TKN.transferFrom(msg.sender, address(this), _amount);
, here the contract isn't using safeERC20. Some implementations of transfer and transferFrom could return ‘false’ on failure instead of reverting. It is safer to wrap such calls into require() statements or use safe wrapper functions implementing return value/data checks to handle these failures. For reference, https://consensys.net/diligence/audits/2020/09/aave-protocol-v2/#unhandled-return-values-of-transfer-and-transferfrom. Since there is no check for return status, the functions is moving forwarded to add balance for staking.
Attacker can steal WETH funds from the contract without fulfilling the staking requirements. the attacker can initiate unauthorized transfers and drain the staked funds.
Use safeERC20 or check balance of TKN after transferFrom
The contest is live. Earn rewards by submitting a finding.
This is your time to appeal against judgements on your submissions.
Appeals are being carefully reviewed by our judges.