Summary

The vulnerability arises in the request function, where the transfer of fees uses feeToken.transferFrom without explicitly checking if it is safe. This could potentially lead to an insecure fee transfer if transferFrom fails or if it doesn’t properly revert in case of insufficient funds or other issues.

Vulnerability Details

In Solidity, the transferFrom method does not always revert when the transfer fails. Specifically, some ERC-20 tokens do not conform strictly to the ERC-20 standard, meaning they may not revert on a failed transfer and return false instead. This can lead to a situation where the contract continues execution under the assumption that the transfer was successful, potentially leaving the contract underfunded.

Impact

Since fee transfers are fundamental to the contract's request process, any failures in transferring the appropriate fees might lead to incomplete funding of tasks. This can create inconsistencies in contract state, disrupt task processing, and lead to unintended results if not addressed.

Tools Used

Manual

Recommendations

Use safeTransferFrom Function:

Replace transferFrom with safeTransferFrom to ensure that transfers either succeed or revert in case of failure. This can be done by importing OpenZeppelin’s SafeERC20 library, which includes the safeTransferFrom method, designed to safely handle ERC-20 token transfers