20,000 USDC
View results
Submission Details
Severity: medium

Return values of `transfer()`/`transferFrom()` not checked

Summary

The return values of transfer()/transferFrom() are unchecked.

Vulnerability Details:

Not all IERC20 implementations revert() when there's a failure in transfer()/transferFrom(). The function signature has a boolean return value and they indicate errors that way instead. By not checking the return value, operations that should have marked as failed, may potentially go through without actually making a payment

Code Snippet

File: Fees.sol
43: IERC20(WETH).transfer(staking, IERC20(WETH).balanceOf(address(this)));
File: Lender.sol
152: IERC20(p.loanToken).transferFrom(
153: p.lender,
154: address(this),
155: p.poolBalance - currentBalance
156: );
159: IERC20(p.loanToken).transfer(
160: p.lender,
161: currentBalance - p.poolBalance
162: );
187: IERC20(pools[poolId].loanToken).transferFrom(
188: msg.sender,
189: address(this),
190: amount
191: );
203: IERC20(pools[poolId].loanToken).transfer(msg.sender, amount);
267: IERC20(loan.loanToken).transfer(feeReceiver, fees);
268: // transfer the loan tokens from the pool to the borrower
269: IERC20(loan.loanToken).transfer(msg.sender, debt - fees);
270: // transfer the collateral tokens from the borrower to the contract
271: IERC20(loan.collateralToken).transferFrom(
272: msg.sender,
273: address(this),
274: collateral
275: );
317: IERC20(loan.loanToken).transferFrom(
318: msg.sender,
319: address(this),
320: loan.debt + lenderInterest
321: );
322: // transfer the protocol fee to the fee receiver
323: IERC20(loan.loanToken).transferFrom(
324: msg.sender,
325: feeReceiver,
326: protocolInterest
327: );
328: // transfer the collateral tokens from the contract to the borrower
329: IERC20(loan.collateralToken).transfer(
330: loan.borrower,
331: loan.collateral
322: );
403: IERC20(loan.loanToken).transfer(feeReceiver, protocolInterest);
505: IERC20(loan.loanToken).transfer(feeReceiver, protocolInterest);
563: IERC20(loan.collateralToken).transfer(feeReceiver, govFee);
564: // transfer the collateral tokens from the contract to the lender
565: IERC20(loan.collateralToken).transfer(
566: loan.lender,
567: loan.collateral - govFee
568: );
642: IERC20(loan.loanToken).transferFrom(
643: msg.sender,
644: address(this),
645: debtToPay - debt
646: );
663: IERC20(loan.collateralToken).transferFrom(
664: msg.sender,
665: address(this),
666: collateral - loan.collateral
667: );
670: IERC20(loan.collateralToken).transfer(
671: msg.sender,
672: loan.collateral - collateral
673: );
File: Staking.sol
39: TKN.transferFrom(msg.sender, address(this), _amount);
49: TKN.transfer(msg.sender, _amount);
55: WETH.transfer(msg.sender, claimable[msg.sender]);

Impact

May potentially proceed without making any payment.

Tools Used

Manual

Recommendations

Return values of transfer()/transferFrom() should be checked.

Support

FAQs

Can't find an answer? Chat with us on Discord, Twitter or Linkedin.