Project
One World
NFTDeFi
15,000 USDC
View results
Previous Next
Submission Details
Severity: medium
Invalid

Lack of safeTransferFrom Usage

aresaudits

Summary

The joinDAO function in the MembershipFactory contract uses the standard transferFrom method for ERC20 token transfers, which may not handle all token transfer failures gracefully. This can lead to silent failures, especially if the token contract does not adhere to the ERC20 standard or if a new currency is added in the future that behaves differently.

Vulnerability Details

as the codebase has addcurrecny logic i.e in future any currency can be added the function should use safetransfer functions

In the joinDAO function, the following lines use transferFrom:

IERC20(daos[daoMembershipAddress].currency).transferFrom(_msgSender(), owpWallet, platformFees);
IERC20(daos[daoMembershipAddress].currency).transferFrom(_msgSender(), daoMembershipAddress, tierPrice - platformFees);

These lines transfer the platform fees and the remaining tier price from the user to the respective addresses. However, if the token contract does not return a boolean value or if the transfer fails, the transaction will not revert, potentially leading to unexpected behavior.

Impact

  • If the token transfer fails and the token contract does not revert, the transaction will continue, potentially leading to incorrect state changes or loss of funds.

Tools Used

Recommendations

Use safeTransferFrom: Replace transferFrom with OpenZeppelin's safeTransferFrom to ensure that the transfer is successful and to handle any potential errors gracefully.

+ IERC20(daos[daoMembershipAddress].currency).safeTransferFrom(_msgSender(), owpWallet, platformFees);
+ IERC20(daos[daoMembershipAddress].currency).safeTransferFrom(_msgSender(), daoMembershipAddress, tierPrice - platformFees);
Updates

Lead Judging Commences

0xbrivan2 Lead Judge 9 months ago
Submission Judgement Published
Invalidated
Reason: Known issue

Support

FAQs

Can't find an answer? Chat with us on Discord, Twitter or Linkedin.