Potential for a loss of funds in the executeDepawsit() function due to the use of `safeTransferFrom(_user, address(this), _ameownt)` without an approval or allowance check.
Description:
This line of code IERC20(i_token).safeTransferFrom(_user, address(this), _ameownt) transfers _ameownt amount of tokens from _user to the contract (address(this)). However, it does not explicitly check whether _user has approved the contract to spend the specified amount of tokens on their behalf.
Impact:
Loss of funds.Users might lose their tokens if they haven't approved the contract to spend tokens on their behalf, leading to a failed transaction. Additionally, if the user's allowance is insufficient or if the user does not have enough balance, the transaction will fail.
Proof of Concept:
Without explicit checks for approval or sufficient allowance, the contract assumes that the user has already approved the contract to spend tokens on their behalf.
-
Assume a user tries to deposit tokens without first setting an allowance for the contract to transfer their tokens.
-
The safeTransferFrom call will fail, and the transaction will revert, causing the entire executeDepawsit() function to revert as well.
-
This failure interrupts the deposit process.
Tools Used
manual review
Recommended Mitigation:
Add a check before the safeTransferFrom call to prevent the function from reverting and to provide a clear error message to the user if the allowance is insufficient.This can be done by comparing the user's current allowance with the _ameownt before executing the transfer:
Rewards breakdown
Live
The contest is live. Earn rewards by submitting a finding.
Appeals
This is your time to appeal against judgements on your submissions.
Appeals Review
Appeals are being carefully reviewed by our judges.