Sparkn

CodeFox Inc.

DeFiFoundryProxy

15,000 USDC

View results

Previous Next

Submission Details

Severity: medium

[ M ] Some ERC20 tokens return a false bool even if transfer was successful

golanger85

Summary

Some particularly pathological ERC20 tokens (e.g. Tether Gold) declare a bool return,
but then return false, even when the transfer was successful.

Vulnerability Details

If Tether Gold or any other token with similar behavior is used,
the safeTransfer method might not be able to correctly determine if the transfer was successful.

Impact

As a result, the state of the contract might not be updated appropriately,
and funds could be left in the contract, leading to potential disputes or incorrect handling of prizes.

Tools Used

Manual Review

Recommendations

By comparing the initial and final token balances of the recipient after the safeTransfer call,
you can determine if the transfer was successful.

Something like this:

// Record initial balance

uint256 initialBalance = erc20.balanceOf(winners[i]);

// Transfer tokens

erc20.safeTransfer(winners[i], amount);

// Record final balance

uint256 finalBalance = erc20.balanceOf(winners[i]);

// Check if transfer was successful

if (finalBalance != initialBalance + amount) {

revert Distributor__TransferFailed();

}

Prize pool breakdown

Total prize

15,000 USDC

nSLOC

194

77 USDC / LOC

High Medium

14,000 USDC

Low

1,000 USDC

Live

The contest is live. Earn rewards by submitting a finding.

Judging

Submissions are being carefully reviewed by our judges.

View all submissions

Appeals

This is your time to appeal against judgements on your submissions.

Appeals Review

Appeals are being carefully reviewed by our judges.

Rewards Distribution

The contest is complete and the rewards are being distributed.

View results

Support

FAQs

Can't find an answer? Chat with us on Discord, Twitter or Linkedin.