Unexpected full balance transfer instead of failing when amount exceeds from balance.
Summary
Certain non-standard ERC20 tokens transfer the sender's entire balance if transferFrom is called with an amount higher than the sender's balance, instead of failing the transaction.
Vulnerability Details
Some ERC20 tokens deviate from the standard behavior by transferring the sender's full balance when the requested transfer amount exceeds the balance. This can lead to unexpected token transfers, potentially causing logic errors in contracts that assume standard ERC20 behavior.
Impact
An attacker can send any input value to the pool, the pool is trusting the ERC20 token when doing safeTransferFrom that the amount specified is transferred. This can lead to attacker getting liquidity tokens or do swaps without paying the expected amounts of tokens.
Tools Used
Manual review
Recommendations
Balance Check: Before calling
transferFrom, explicitly check the sender's balance and ensure the transfer amount does not exceed it.Token Whitelisting: Use a whitelist of verified tokens that adhere to the standard ERC20 behavior to prevent unexpected issues.
Appeal created
Extremely weird ERC20
Rewards breakdown
Live
The contest is live. Earn rewards by submitting a finding.
Appeals
This is your time to appeal against judgements on your submissions.
Appeals Review
Appeals are being carefully reviewed by our judges.