First Flight #10: One Shot

First Flight #10

Beginner FriendlyFoundryNFT

100 EXP

View results

Previous Next

Submission Details

Severity: medium

Invalid

`ICredToken::approve`, `ICredToken::transfer` And `ICredToken::transferFrom` Have Incorrect ERC20 Function Interfaces

paprikrumplikas

Vulnerability Details

ICredToken::approve, ICredToken::transfer and ICredToken::transferFrom have incorrect ERC20 function interfaces. These ERC20 functions should return a bool value to indicate success or failiure, but the ICredToken interface do not define these return values. A contract compiled with Solidity > 0.4.22 interacting with these functions will fail to execute them, as the return value is missing.

Impact

Smart contracts interacting with ICredToken expecting boolean return values from these functions may revert or fail to execute as anticipated, leading to potential integration issues or loss of functionality.

Proof of Concept

Consider a DeFi platform that offers a staking feature, allowing users to stake ERC20 tokens in return for rewards:

contract DeFiStakingContract {

ICredToken public token;

constructor(ICredToken _token) {

token = _token;

}

function stakeTokens(uint256 _amount) public {

// Expecting a boolean return value to ensure the transfer was successful

require(token.transferFrom(msg.sender, address(this), _amount), "Transfer failed");

// Logic to handle successful staking

}

The stakeTokens function uses require to check the success of transferFrom by expecting a boolean return value. However, since ICredToken's transferFrom does not return any value (due to the incorrect interface definition), the contract will revert and fail to execute, preventing users from staking their tokens.

Tools Used

Slither

Recommendations

Update the ICredToken interface to align with the ERC20 standard by ensuring that approve, transfer, and transferFrom return a boolean value:

- function approve(address to, uint256 amount) external;

- function transfer(address to, uint256 amount) external;

- function transferFrom(address from, address to, uint256 amount) external;

+ function approve(address to, uint256 amount) external returns (bool);

+ function transfer(address to, uint256 amount) external returns (bool);

+ function transferFrom(address from, address to, uint256 amount) external returns (bool);

Updates

Lead Judging Commences

inallhonesty Lead Judge almost 2 years ago

Submission Judgement Published

Invalidated

Reason: Non-acceptable severity

Rewards breakdown

nSLOC

201

This contest has a flat reward structure with the following payouts:

High

100 EXP

Medium

20 EXP

Low

2 EXP

Live

The contest is live. Earn rewards by submitting a finding.

Judging

Submissions are being carefully reviewed by our judges.

View all submissions

Appeals

This is your time to appeal against judgements on your submissions.

Appeals Review

Appeals are being carefully reviewed by our judges.

Rewards Distribution

The contest is complete and the rewards are being distributed.

View results

Support

FAQs

Can't find an answer? Chat with us on Discord, Twitter or Linkedin.

Give us feedback!