Steadefi
Steadefi
DeFiHardhatFoundryOracle
35,000 USDC
View results
Previous Next
Submission Details
Severity: low
Invalid

On attempting to transfer tokens from an external contract (self.trove) to itself (address(this)). If transfer operations fail, the contract does not handle errors/revert the transaction

0xVinylDavyl

Summary

On attempting to transfer tokens from an external contract (self.trove) to itself (address(this)). If any of these transfer operations fail, the contract does not handle these errors or revert the transaction, leaving contract in inconsistent state. The contract lacks comprehensive error handling. If any of the transfer operations in the compound function fails, it doesn't handle the error, potentially leaving the contract in an inconsistent state.

Vulnerability Details

The GMXCompound.sol contract is vulnerable due to a lack of comprehensive error handling, particularly in the compound function. Error handling is a fundamental security practice that ensures a smart contract can gracefully respond to unexpected errors and failures. In the absence of error handling, if any of the transfer operations within the compound function fail, the contract does not handle these errors properly.

Vulnerable code snippet:

if (self.tokenA.balanceOf(address(self.trove)) > 0) {
self.tokenA.safeTransferFrom(
address(self.trove),
address(this),
self.tokenA.balanceOf(address(self.trove))
);
}
if (self.tokenB.balanceOf(address(self.trove)) > 0) {
self.tokenB.safeTransferFrom(
address(self.trove),
address(this),
self.tokenB.balanceOf(address(self.trove))
);
}

In contrat, attempting to transfer tokens from an external contract (self.trove) to itself (address(this)). If any of these transfer operations fail, the contract does not handle these errors or revert the transaction, potentially leaving the contract in an inconsistent state.

Impact

If a transfer operation fails due to unforeseen circumstances (e.g., out-of-gas, lack of allowance, or other issues), the contract may be left in an unexpected and potentially insecure state. The consequences include:

  1. Loss of funds or assets: Failed transfers could result in the loss of tokens.

  2. Inconsistent contract state: The contract may be left in an inconsistent state, making it unpredictable and unreliable.

Recommendations

To mitigate this vulnerability and enhance the contract's robustness, comprehensive error handling should be implemented. Here are some recommendations:

  1. Implement Error Handling: Properly handle errors for token transfers and other critical operations. Ensure that the contract responds to errors by reverting the transaction and avoiding an inconsistent state:

    if (self.tokenA.balanceOf(address(self.trove)) > 0) {
    bool tokenATransferSuccess = self.tokenA.safeTransferFrom(
    address(self.trove),
    address(this),
    self.tokenA.balanceOf(address(self.trove))
    );
    require(tokenATransferSuccess, "TokenA transfer failed");
    }
    if (self.tokenB.balanceOf(address(self.trove)) > 0) {
    bool tokenBTransferSuccess = self.tokenB.safeTransferFrom(
    address(self.trove),
    address(this),
    self.tokenB.balanceOf(address(self.trove))
    );
    require(tokenBTransferSuccess, "TokenB transfer failed");
    }

  2. Use Safe Transfer Functions: The code appears to use the safeTransferFrom function, which is a good practice for token transfers. Ensure that this function is correctly implemented.

Updates

Lead Judging Commences

hans Lead Judge almost 2 years ago
Submission Judgement Published
Invalidated
Reason: Lack of quality

Support

FAQs

Can't find an answer? Chat with us on Discord, Twitter or Linkedin.