Liquid Staking

Stakelink

DeFiHardhatOracle

50,000 USDC

View results

Previous Next

Submission Details

Severity: medium

Invalid

Missing IERC677Receiver Interface Implementation in PriorityPool

0xsurena

Summary

The PriorityPool contract includes the onTokenTransfer function but lacks the proper implementation of the IERC677Receiver interface, which creates a security and compatibility issue when receiving ERC677 tokens like LINK.

Vulnerability Details

In ERC677 tokens such as LINK, transfers utilizing the transferAndCall function require that the recipient contract implements the IERC677Receiver interface to handle incoming transfers properly. Without this interface, the onTokenTransfer function is improperly utilized, leading to failures in the expected operation, such as deposits.

Here is the relevant portion from the LINK token contract:

contract ERC677Token is ERC677 {

function transferAndCall(address _to, uint _value, bytes _data)

public returns (bool success) {

super.transfer(_to, _value);

Transfer(msg.sender, _to, _value, _data);

if (isContract(_to)) {

contractFallback(_to, _value, _data);

}

return true;

}

function contractFallback(address _to, uint _value, bytes _data) private {

ERC677Receiver receiver = ERC677Receiver(_to);

receiver.onTokenTransfer(msg.sender, _value, _data);

}

As seen, transferAndCall invokes contractFallback, which casts the receiving contract as an ERC677Receiver. However, since the PriorityPool contract does not implement IERC677Receiver, this will lead to errors when LINK is transferred using transferAndCall.

In PriorityPool, the onTokenTransfer function is as follows:

function onTokenTransfer(address _sender, uint256 _value, bytes calldata _calldata) external {

if (_value == 0) revert InvalidValue();

(bool shouldQueue, bytes[] memory data) = abi.decode(_calldata, (bool, bytes[]));

if (msg.sender == address(token)) {

_deposit(_sender, _value, shouldQueue, data);

} else if (msg.sender == address(stakingPool)) {

uint256 amountQueued = _withdraw(_sender, _value, shouldQueue);

token.safeTransfer(_sender, _value - amountQueued);

} else {

revert UnauthorizedToken();

}

The problem lies in the assumption that PriorityPool will receive the tokens through onTokenTransfer without conforming to the required ERC677Receiver interface. Since the interface is not implemented, the contractFallback in the LINK token contract will fail.

Impact

LINK transfers using transferAndCall will fail since the PriorityPool contract lacks the required interface, then _deposit function won’t get execute as intended.

Tools Used

Manually

Recommendations

Implement IERC677Receiver Interface: Implement the IERC677Receiver interface in the PriorityPool contract to ensure compatibility with ERC677 tokens.

Updates

Lead Judging Commences

inallhonesty Lead Judge

about 1 year ago

inallhonesty Lead Judge about 1 year ago

Submission Judgement Published

Invalidated

Reason: Incorrect statement

Prize pool breakdown

Total prize

50,000 USDC

nSLOC

2,530

20 USDC / LOC

High Medium

42,000 USDC

Low

4,250 USDC

Judges

3,750 USDC

Live

The contest is live. Earn rewards by submitting a finding.

Judging

Submissions are being carefully reviewed by our judges.

View all submissions

Appeals

This is your time to appeal against judgements on your submissions.

Appeals Review

Appeals are being carefully reviewed by our judges.

Rewards Distribution

The contest is complete and the rewards are being distributed.

View results

Support

FAQs

Can't find an answer? Chat with us on Discord, Twitter or Linkedin.