MEV attacks due to missing check return value of `transfer/transferFrom`
Summary
Even though you are using the OZ framework, it still has issues.
The provided Solidity function deposit has a vulnerability that allows for potential loss of funds due to not checking the return value of the transferFrom function. This vulnerability could lead to unintended consequences if the transferFrom operation fails, but the contract continues execution as if it succeeded.
Vulnerability Details
In the deposit function, the transferFrom function is used to transfer tokens from an external address (from) to the contract's address. However, the code does not check the return value of transferFrom to ensure that the transfer was successful.
Impact
This vulnerability can be exploited in conjunction with MEV attacks. In this scenario, from detects that Diamond initiated a deposit operation within the transaction memory pool. from swiftly moves its tokens to another address ahead of this transaction. Since there is no check on the return values, the deposit operation still executes successfully. If the transferFrom operation fails, it will not throw an exception. Instead, it will return false, indicating that the transfer did not occur.
Tools Used
Recommendations
To mitigate this vulnerability, you should check the return value of the transferFrom function and handle the case where the transfer fails. If the transfer fails, you should revert the transaction or take appropriate action to safeguard user funds.
This ensures that the contract will revert the transaction if the token transfer fails, preventing unintended consequences and potential loss of funds.
The same issues in attached links.
Prize pool breakdown
Live
The contest is live. Earn rewards by submitting a finding.
Appeals
This is your time to appeal against judgements on your submissions.
Appeals Review
Appeals are being carefully reviewed by our judges.