Dria
Swan
NFTHardhat
21,000 USDC
View results
Previous Next
Submission Details
Severity: low
Invalid

[M-4]transferFrom result not checked in register::LLMOracleCoordinator.sol

oluwaseyisekoni

Summary

Even though allowanceand balanceof the msg.senderwas checked before transferFrom, it is still a safe practice for the return value of transferFrom to be checked

uint256 allowance = feeToken.allowance(msg.sender, address(this));
if (allowance < totalfee) {
revert InsufficientFees(allowance, totalfee);
}
// ensure there is enough balance
uint256 balance = feeToken.balanceOf(msg.sender);
if (balance < totalfee) {
revert InsufficientFees(balance, totalfee);
}
// transfer tokens
//@q transferFrom result not checked
feeToken.transferFrom(msg.sender, address(this), totalfee);
// increment the task id for later tasks & emit task request event
uint256 taskId = nextTaskId;
unchecked {
++nextTaskId;
}
emit Request(taskId, msg.sender, protocol);
// push request & emit status update for the task
requests[taskId] = TaskRequest({
requester: msg.sender,
protocol: protocol,
input: input,
parameters: parameters,
status: TaskStatus.PendingGeneration,
generatorFee: generatorFee,
validatorFee: validatorFee,
platformFee: platformFee,
models: models
});
emit StatusUpdate(taskId, protocol, TaskStatus.None, TaskStatus.PendingGeneration);
return taskId;

Impact: transferFrom could fail silently, as the return value not checked it could lead request[taskId] and nextId would be updated. This way msg.senderwould escape payment to the contract

Recommendations: transferFrom return value should be checked to ensure the transaction was successful before state updates

Updates

Lead Judging Commences

inallhonesty Lead Judge about 1 year ago
Submission Judgement Published
Invalidated
Reason: Known issue
Assigned finding tags:

[KNOWN] - Low-35 Unsafe use of transfer()/transferFrom() with IERC20

Support

FAQs

Can't find an answer? Chat with us on Discord, Twitter or Linkedin.