Dria

Swan
NFTHardhat
21,000 USDC
View results
Submission Details
Severity: low
Invalid

Tokens may revers on `transferFrom`

Summary

Tokens may revers on transferFrom

Vulnerability Details

Some common tokens like USDT return false on transfer instead of reverting. Such behavior will cause some function to not take any tokens, but continue execution. Such function can be transferRoyalties, which is used inside list and relist.

function transferRoyalties(AssetListing storage asset) internal {
uint256 buyerFee = (asset.price * asset.royaltyFee) / 100;
uint256 driaFee = (buyerFee * getCurrentMarketParameters().platformFee) / 100;
token.transferFrom(asset.seller, address(this), buyerFee);

Continuing execution without transferring the tokens is dangerous as the listing, in this case, can be made without any fees being paid.

Impact

Users can make free listings and many more bugs around the contract.

Tools Used

Manual review

Recommendations

Use safeTransfer.

Updates

Lead Judging Commences

inallhonesty Lead Judge 7 months ago
Submission Judgement Published
Invalidated
Reason: Known issue
Assigned finding tags:

[KNOWN] - Low-35 Unsafe use of transfer()/transferFrom() with IERC20

Support

FAQs

Can't find an answer? Chat with us on Discord, Twitter or Linkedin.