Summary

The settleAskMaker function in the DeliveryPlace contract performs token transfers without verifying their success, leading to inconsistencies between the contract's state and actual token balances. This vulnerability could result in loss of funds and disruption of the protocol's operation.

Vulnerability Detail

The vulnerability is present in the settleAskMakerfunction of the DeliveryPlace contract. Specifically, the function calls tokenManager.tillIn() and tokenManager.addTokenBalance() without checking their return values or using a try/catch mechanism:

The function assumes these calls will always succeed. However, token transfers can fail for various reasons, such as insufficient balance, blacklisted addresses, or paused contracts. If a transfer fails silently, the contract will continue execution as if the transfer was successful, leading to an inconsistent state.

Impact

The impact of this vulnerability is severe:

1. Loss of Funds: Users might not receive tokens they're entitled to if transfers fail silently.

2. Inconsistent State: The contract's state (e.g., settled points, balances) may not reflect the actual token distribution.

3. Broken Invariants: Important protocol invariants, like conservation of tokens, may be violated.

Tool used

Manual Review

Recommendation

To address this vulnerability, implement the following measures:

Check Return Values: For ERC20 tokens that return boolean values, check the return value of the transfer function.

Implement Try/Catch: Use try/catch for external calls to handle potential reverts gracefully.

Revert on Failure: Ensure that the function reverts if any token transfer fails, maintaining the contract's consistency.