The vulnerability arises in the request function, where the transfer of fees uses feeToken.transferFrom without explicitly checking if it is safe. This could potentially lead to an insecure fee transfer if transferFrom fails or if it doesn’t properly revert in case of insufficient funds or other issues.
In Solidity, the transferFrom method does not always revert when the transfer fails. Specifically, some ERC-20 tokens do not conform strictly to the ERC-20 standard, meaning they may not revert on a failed transfer and return false instead. This can lead to a situation where the contract continues execution under the assumption that the transfer was successful, potentially leaving the contract underfunded.
Since fee transfers are fundamental to the contract's request process, any failures in transferring the appropriate fees might lead to incomplete funding of tasks. This can create inconsistencies in contract state, disrupt task processing, and lead to unintended results if not addressed.
Manual
Use safeTransferFrom Function:
Replace transferFrom with safeTransferFrom to ensure that transfers either succeed or revert in case of failure. This can be done by importing OpenZeppelin’s SafeERC20 library, which includes the safeTransferFrom method, designed to safely handle ERC-20 token transfers
The contest is live. Earn rewards by submitting a finding.
This is your time to appeal against judgements on your submissions.
Appeals are being carefully reviewed by our judges.