The Standard

DeFiHardhat

20,000 USDC

View results

Previous Next

Submission Details

Severity: low

Invalid

LiquidationPoolManager::forwardRemainingRewards() does not check the result of token transfers

0xrs

Summary and Vulnerability Details

The forwardRemainingRewards() function in the LiquidationPoolManager contract does not check the result of ERC20 token transfers to the protocol EOA.

The result of standard ERC20 token transfers should always be verified otherwise there is no way to know if the transfer succeeded. Preferably, the OpenZeppelin SafeERC20 contract should be used.

SaeERC20 also supports tokens that return no value (and instead revert or throw on failure) => non-reverting calls are assumed to be successful.

Impact

A token transfer may fail without the possibility for the contract to act accordingly.

Tools Used

Manual Review

Recommendations

Check the return value after the token transfer, for example:

bool sent = IERC20(_token.addr).transfer(protocol, balance);

require(sent, "Token transfer failed");

or, preferably use SafeERC20:

import "@openzeppelin/contracts/token/ERC20/utils/SafeERC20.sol";

...

using SafeERC20 for IERC20;

...

IERC20(_token.addr).safeTransfer(protocol, balance);

Updates

Lead Judging Commences

hrishibhat Lead Judge over 1 year ago

Submission Judgement Published

Invalidated

Reason: Known issue

Assigned finding tags:

informational/invalid

Prize pool breakdown

Total prize

20,000 USDC

nSLOC

609

33 USDC / LOC

High Medium

17,500 USDC

Low

2,500 USDC

Live

The contest is live. Earn rewards by submitting a finding.

Judging

Submissions are being carefully reviewed by our judges.

View all submissions

Appeals

This is your time to appeal against judgements on your submissions.

Appeals Review

Appeals are being carefully reviewed by our judges.

Rewards Distribution

The contest is complete and the rewards are being distributed.

View results

Support

FAQs

Can't find an answer? Chat with us on Discord, Twitter or Linkedin.