Moonwell

Moonwell
DeFiFoundry
15,000 USDC
View results
Submission Details
Severity: medium
Invalid

Unsecured Transfer Function in `MErc20DelegateMadFixer` Contract

Summary

The sweepAll function in the MErc20DelegateMadFixer contract contains a vulnerability in its token transfer mechanism. It expects a boolean value back from the transfer function of the ERC20 token interface, which is not guaranteed by all ERC20 tokens. Tokens like USDT do not conform to this behavior, potentially leading to unexpected behavior or failed transactions.

Vulnerability Details

The vulnerable code segment is as follows:

bool success = token.transfer(sweeper, token.balanceOf(address(this)));
require(success, "token sweep failed");

Here, the contract expects a boolean value success back from the transfer function, assuming it indicates the success or failure of the transfer operation. However, not all ERC20 tokens adhere to this convention. Some tokens, like USDT, do not return a boolean value from their transfer function. Therefore, relying on success as an indicator of a successful transfer is unreliable.

Impact

This vulnerability could lead to unexpected behavior or failed transactions when interacting with ERC20 tokens that do not return a boolean value from their transfer function. In the worst case, it could result in locked or lost funds if the contract misinterprets the outcome of the token transfer operation.

Tools Used

Manual review

Recommendations

To mitigate this vulnerability:

  1. Use a safe transfer mechanism that handles the return value of the token transfer function appropriately. Libraries like OpenZeppelin's SafeERC20 provide safe implementations of token transfers.

  2. Ensure that the contract handles failed token transfers gracefully, possibly by reverting the transaction or implementing a mechanism for retrying the transfer.

Updates

Lead Judging Commences

0xnevi Lead Judge over 1 year ago
Submission Judgement Published
Invalidated
Reason: Known issue

Support

FAQs

Can't find an answer? Chat with us on Discord, Twitter or Linkedin.