stake.link
stake.link
DeFiHardhatBridge
27,500 USDC
View results
Previous Next
Submission Details
Severity: medium
Invalid

`onTokenTransfer` does not allow to limit the amount of mintable tokens

larsson

Summary

The onTokenTransfer function lacks a mechanism to restrict the number of tokens mintable in a single transaction.

Vulnerability Details

When an investor tries to receive or distribute the tokens in the WrappedTokenBridge/SDLPoolPrimary/SDLPoolSecondary contracts, the onTokenTransfer function does not allow to limit the amount of tokens that can be minted during the particular transaction. Because of that, limiting the allowance won’t help, so the user doesn’t know how many tokens can be bought.

Impact

The owner of the price oracle can front-run the transaction and twist the price.

Tools Used

Manual Review

Recommendations

Since you cannot add an extra argument to this function, the minimal token amount is optionally added to the _calldata parameter. This parameter became a bit complicated and remains optional. So, the result of the direct token transfer with empty _data can theoretically be manipulated by the owner.

+ // if a recipient address was provided in data, use it as receiver. Otherwise, use `_sender` as receiver.
+ address tokenReceiver;
+ if (_calldata.length >= 32) {
+ tokenReceiver = abi.decode(_calldata[:32], (address));
+ } else {
+ tokenReceiver = _sender ;
+ }
+ uint256 amount
+
+ // if a minimum amount was provided in data, enforce it.
+ if (_calldata.length >= 64) {
+ require(amount >= abi.decode(_calldata[32:64], (uint256)), "Purchase yields less tokens than demanded.");
+ }
Updates

Lead Judging Commences

0kage Lead Judge over 1 year ago
Submission Judgement Published
Invalidated
Reason: Lack of quality

Support

FAQs

Can't find an answer? Chat with us on Discord, Twitter or Linkedin.