Submission Details
Severity:
[H-3] transferRoyalties::Swan.sol result of transferFrom not checked could lead to token loss of protocol
Description
function transferRoyalties(AssetListing storage asset) internal {
// calculate fees
uint256 buyerFee = (asset.price * asset.royaltyFee) / 100;
uint256 driaFee = (buyerFee * getCurrentMarketParameters().platformFee) / 100;
// first, Swan receives the entire fee from seller
// this allows only one approval from the seller's side
token.transferFrom(asset.seller, address(this), buyerFee);
// send the buyer's portion to them
token.transfer(asset.buyer, buyerFee - driaFee);
// then it sends the remaining to Swan owner
token.transfer(owner(), driaFee);
}
token.transferFrom(asset.seller, address(this), buyerFee);could fail silently and since the result was not checked token.transfer(asset.buyer, buyerFee - driaFee);and token.transfer(owner(), driaFee);would be carried out without the protocol recieving from the asset.seller
Impact: Funds loss by the protocol
Recommended mitigation: **transfer**and transferFrom result should always be checked
Updates
Lead Judging Commences
inallhonesty 7 months ago
Submission Judgement Published Reason: Known issue
Assigned finding tags:
[KNOWN] - Low-35 Unsafe use of transfer()/transferFrom() with IERC20
Prize pool breakdown
Total prize
21,000 USDC
nSLOC
1,03420 USDC / LOC
20,000 USDC
1,000 USDC
Live
The contest is live. Earn rewards by submitting a finding.
Appeals
This is your time to appeal against judgements on your submissions.
Appeals Review
Appeals are being carefully reviewed by our judges.