The deposit
function calls IERC677(address(token)).transferAndCall(address(stakeController), _amount, "")
without checking its return value. This could lead to undetected failures during the token transfer process, which may affect the integrity of the staking logic.
In Solidity, functions such as transferAndCall
may return a boolean indicating whether the transfer was successful or not. However, in the current implementation, the return value is not checked. If the transfer fails, this failure will go unnoticed, potentially leading to a situation where tokens are not properly transferred to the staking contract. This could result in inconsistencies in the vault's accounting system (trackedTotalDeposits
), creating a scenario where the system believes the deposit was successful, even though it wasn't.
If the transferAndCall
function fails and the error is not detected, it can lead to several issues:
Incorrect accounting of total deposits in the vault.
Potential loss of funds or staking benefits for users.
Unwanted discrepancies between the actual token balance and the vault’s internal records.
Security vulnerabilities if the failure is exploited by an attacker to bypass deposit logic.
Manual code inspection.
Verify the return value of transferAndCall
to ensure the transfer was successful.
Implement error handling logic to revert the transaction if the token transfer fails, ensuring the integrity of the vault’s deposit system.
Example code:
This will ensure that if the transfer fails, the transaction reverts and no inconsistent state is left in the system.
The contest is live. Earn rewards by submitting a finding.
This is your time to appeal against judgements on your submissions.
Appeals are being carefully reviewed by our judges.