Steadefi

Steadefi
DeFiHardhatFoundryOracle
35,000 USDC
View results
Submission Details
Severity: medium
Invalid

Unsafe Use of safeTransferFrom in GMXCompound

Summary

GMXCompound contract uses the safeTransferFrom function to transfer tokens from the trove to the vault during the compound operation. While using safeTransferFrom is a recommended practice for token transfers, the absence of proper error handling and checks in this context will pose a security risk.

Vulnerability Details

  • the safeTransferFrom function is used to transfer tokens from the trove to the vault. While this function is designed to check for errors during transfers, the code does not handle potential errors and lacks proper checks after the transfer.

  • If the safeTransferFrom function encounters an error, such as a failed transfer due to insufficient allowances, the code does not provide appropriate error handling.

// GMXCompound contract
contract GMXCompound {
IERC20 public token;
address public trove;
function compound() external {
// Unsafe use of safeTransferFrom without error handling
token.safeTransferFrom(trove, address(this), 1 ether);
// No error handling or checks here
}
}

Impact

  • The impact of this vulnerability can vary based on the token and the trove's state. If a token transfer fails due to insufficient allowances or other issues, it could disrupt the compound operation and potentially affect the protocol's normal functioning.

Tools Used

Recommendations

  • Implement proper error handling for token transfers using the safeTransferFrom function. Ensure that errors are appropriately logged or handled to prevent unexpected behavior.

  • Add checks to verify that the token transfer was successful, and if not, handle the failure .

contract GMXCompound {
IERC20 public token;
address public trove;
function compound() external {
// Use safeTransferFrom and handle errors
require(token.safeTransferFrom(trove, address(this), 1 ether), "Transfer failed");
// Additional checks or handling after the transfer
}
}
Updates

Lead Judging Commences

hans Lead Judge over 1 year ago
Submission Judgement Published
Invalidated
Reason: Lack of quality

Support

FAQs

Can't find an answer? Chat with us on Discord, Twitter or Linkedin.