DittoETH
Ditto
DeFiFoundryOracle
55,000 USDC
View results
Previous Next
Submission Details
Severity: medium
Invalid

Unsafe ERC20 Operation(s)

thedoctor

Summary

Unsafe ERC20 Operation(s)

ERC20 operations can be unsafe due to different implementations and vulnerabilities in the standard.

It is therefore recommended to always either use OpenZeppelin's SafeERC20 library or at least to wrap each operation in a require statement.

To circumvent ERC20's approve functions race-condition vulnerability use OpenZeppelin's SafeERC20 library's safe{Increase|Decrease}Allowance functions.

In case the vulnerability is of no danger for your implementation, provide enough documentation explaining the reasonings.

Vulnerability Details

../2023-09-ditto/contracts/bridges/BridgeReth.sol::64 => rocketETHToken.transferFrom(from, address(this), amount);
../2023-09-ditto/contracts/bridges/BridgeReth.sol::94 => rocketETHToken.transfer(to, rethValue);
../2023-09-ditto/contracts/bridges/BridgeSteth.sol::26 => steth.approve(
../2023-09-ditto/contracts/bridges/BridgeSteth.sol::66 => steth.transferFrom(from, address(this), amount);
../2023-09-ditto/contracts/bridges/BridgeSteth.sol::87 => steth.transfer(to, amount);
../2023-09-ditto/contracts/mocks/RocketTokenRETH.sol::42 => payable(msg.sender).transfer(ethAmount);
../2023-09-ditto/contracts/mocks/UNSTETH.sol::59 => steth.transferFrom(_owner, address(this), _amounts[i]);

Impact

If ERC20 transfer or transferFrom call fails it will lead to stuck funds for a user. This only happens with a special class of ERC20 tokens though, so it is Medium severity.

Tools Used

Manual Review

Recommendations

Use OpenZeppelin SafeERC20 implementation for transferFrom and transfer functions

Updates

Lead Judging Commences

0xnevi Lead Judge
over 1 year ago
0xnevi Lead Judge over 1 year ago
Submission Judgement Published
Invalidated
Reason: Other

Support

FAQs

Can't find an answer? Chat with us on Discord, Twitter or Linkedin.