Dria

Swan
NFTHardhat
21,000 USDC
View results
Submission Details
Severity: low
Invalid

Use transferFrom in Fee Transfer

Summary

The vulnerability arises in the request function, where the transfer of fees uses feeToken.transferFrom without explicitly checking if it is safe. This could potentially lead to an insecure fee transfer if transferFrom fails or if it doesn’t properly revert in case of insufficient funds or other issues.

Vulnerability Details

feeToken.transferFrom(msg.sender, address(this), totalfee);

In Solidity, the transferFrom method does not always revert when the transfer fails. Specifically, some ERC-20 tokens do not conform strictly to the ERC-20 standard, meaning they may not revert on a failed transfer and return false instead. This can lead to a situation where the contract continues execution under the assumption that the transfer was successful, potentially leaving the contract underfunded.

Impact

Since fee transfers are fundamental to the contract's request process, any failures in transferring the appropriate fees might lead to incomplete funding of tasks. This can create inconsistencies in contract state, disrupt task processing, and lead to unintended results if not addressed.

Tools Used

Manual

Recommendations

Use safeTransferFrom Function:

Replace transferFrom with safeTransferFrom to ensure that transfers either succeed or revert in case of failure. This can be done by importing OpenZeppelin’s SafeERC20 library, which includes the safeTransferFrom method, designed to safely handle ERC-20 token transfers

Updates

Lead Judging Commences

inallhonesty Lead Judge 7 months ago
Submission Judgement Published
Invalidated
Reason: Known issue
Assigned finding tags:

[KNOWN] - Low-35 Unsafe use of transfer()/transferFrom() with IERC20

Support

FAQs

Can't find an answer? Chat with us on Discord, Twitter or Linkedin.