Unchecked Return Values in Token Transfers can Lead to Financial Loss for all actors
Summary
This is a known low issue however should be bumped up to a high as malicious actors can abuse the protocol to drain all funds.
The Lender contract makes multiple transfer calls without checking the return value. This is particularly problematic because some token contracts do not throw an exception when a transfer fails, but instead return a boolean value (false indicates failure).
Vulnerability Details
The addToPool function serves as an illustrative example:
In this function, if the transferFrom call were to fail and return false (rather than reverting), the contract would not detect this failure. This would result in an inaccurate pool balance, potentially leading to significant financial consequences for the protocol.
Impact
Impact: High. Undetected failures in token transfers can result in significant financial loss for the protocol or its users due to inaccurate accounting within the contract.
Tools Used
Manual analysis
Recommendations
To mitigate this risk, we recommend using OpenZeppelin’s SafeERC20 library, which includes safeTransfer and safeTransferFrom functions. These functions handle the return value check as well as non-standard compliant tokens. This modification will ensure that any failed token transfers are immediately detected and handled appropriately.
Prize pool breakdown
Live
The contest is live. Earn rewards by submitting a finding.
Appeals
This is your time to appeal against judgements on your submissions.
Appeals Review
Appeals are being carefully reviewed by our judges.