The Standard

DeFiHardhat

20,000 USDC

View results

Previous Next

Submission Details

Severity: low

Invalid

Zero Transfer Revert Vulnerability in LiquidationPool.sol

albahaca

Summary

This report identifies a medium-severity vulnerability in the LiquidationPool.sol contract that can cause some tokens to revert on transfer of zero amount.

Vulnerability Details

The vulnerability is located in line 185 where the safeTransferFrom function of the IERC20 interface is used to transfer EUROs tokens from the sender to the contract. This function can revert if the token contract implements a check for zero amount transfer and throws an exception. This can happen if the _amount parameter is zero or the sender has no balance of EUROs tokens.

185 IERC20(EUROs).safeTransferFrom(msg.sender, address(this), _amount);

https://github.com/Cyfrin/2023-12-the-standard/blob/main/contracts/LiquidationPool.sol#L185

Impact

The impact of this vulnerability is medium, as it can affect the functionality and usability of the contract. A revert on zero transfer can prevent the execution of the distributeFees function, which can affect the distribution of fees to the holders and pending stakes. This can also cause the sender to lose gas fees and experience a bad user experience.

Tools Used

manual code review

Recommendations

To prevent this vulnerability, it is recommended to add a condition to check if the _amount parameter is greater than zero before calling the safeTransferFrom function.

function distributeFees(uint256 _amount) external onlyManager {

uint256 tstTotal = getTstTotal();

- if (tstTotal > 0) {

+ if (tstTotal > 0 && _amount > 0) {

IERC20(EUROs).safeTransferFrom(msg.sender, address(this), _amount);

for (uint256 i = 0; i < holders.length; i++) {

address _holder = holders[i];

positions[_holder].EUROs += _amount * positions[_holder].TST / tstTotal;

}

for (uint256 i = 0; i < pendingStakes.length; i++) {

pendingStakes[i].EUROs += _amount * pendingStakes[i].TST / tstTotal;

}

Updates

Lead Judging Commences

hrishibhat Lead Judge over 1 year ago

Submission Judgement Published

Invalidated

Reason: Known issue

Assigned finding tags:

unchecked-transfer

informational/invalid

Prize pool breakdown

Total prize

20,000 USDC

nSLOC

609

33 USDC / LOC

High Medium

17,500 USDC

Low

2,500 USDC

Live

The contest is live. Earn rewards by submitting a finding.

Judging

Submissions are being carefully reviewed by our judges.

View all submissions

Appeals

This is your time to appeal against judgements on your submissions.

Appeals Review

Appeals are being carefully reviewed by our judges.

Rewards Distribution

The contest is complete and the rewards are being distributed.

View results

Support

FAQs

Can't find an answer? Chat with us on Discord, Twitter or Linkedin.