The Standard

DeFiHardhat

20,000 USDC

View results

Previous Next

Submission Details

Severity: low

Invalid

Return value of "transfer" is not checked

sabit

Summary

Return value of "transfer" is not checked

Vulnerability Details

According to Openzeppelin's EIP-20, return value of a transfer should be checked. This would show if a transfer is a success or a failure.

However, in the claimRewards function, it uses the "transfer" keyword without checking the return statement. That is, it doesn't check if a transfer succeeds or fails.

A transfer can fail silently for different reasons. When this happens, the LiquidationPool contract (the reward-sending contract) will not revert. The contract would delete a user's reward (whereas the reward is still in the contract) and deem a user to have claimed the reward. This is how the claimRewards function is coded.

Impact

A user can lose his rewards forever - even though the reward is still in the contract.

Tools Used

Manual review

Recommendations

Use safeTransfer instead of transfer

Updates

Lead Judging Commences

hrishibhat Lead Judge over 1 year ago

Submission Judgement Published

Invalidated

Reason: Known issue

Assigned finding tags:

informational/invalid

Prize pool breakdown

Total prize

20,000 USDC

nSLOC

609

33 USDC / LOC

High Medium

17,500 USDC

Low

2,500 USDC

Live

The contest is live. Earn rewards by submitting a finding.

Judging

Submissions are being carefully reviewed by our judges.

View all submissions

Appeals

This is your time to appeal against judgements on your submissions.

Appeals Review

Appeals are being carefully reviewed by our judges.

Rewards Distribution

The contest is complete and the rewards are being distributed.

View results

Support

FAQs

Can't find an answer? Chat with us on Discord, Twitter or Linkedin.