Summary

The return value of an external call is not stored in a local or state variable.

In contract L1Sender, SwapRouterMock, GatewayRouterMock ,WStETHMock, there are instances where external methods are being called and return value are being ignored.

Vulnerability Details

In Solidity smart contracts, it is important to handle the return values of external calls to functions, especially when interacting with ERC20 tokens. Ignoring return values can lead to situations where a contract assumes an operation was successful when it may have failed. This can cause logical errors in the contract's execution and potentially lead to loss of funds or other unintended consequences.

Impact

1. Potential for Silent Failures: If the approve, transfer, transferFrom functions do not behave as expected and the contract does not check the return value, the contract may assume that the approval/transfer was successful when it was not. This could lead to a situation where subsequent actions that depend on this approval/transfer (like token transfers) fail, potentially causing disruptions in the contract's logic.

2. Dependence on Token Compliance: The issue arises from the assumption that all ERC20 tokens will behave according to the standard. However, not all tokens are compliant, and some may return false or no value at all upon failure. This reliance on token compliance increases the risk.

3. Impact on User Funds: If the contract is a critical part of a financial system or handles user funds, any malfunction could have direct financial consequences for users.

Tools Used

Manual Analysis, AI.

Recommendations

Ensure that all the return values of the function calls are used.

Add return value check to avoid unexpected crash of the contract. Return value check will help in handling the exceptions in a better way.