Unchecked Return Value in TokenAdapterMock.unwrap Causes Potential Transfer Failure Ignored
Summary
The `unwrap` function in `TokenAdapterMock` ignores the return values of critical `IERC20` token transfer calls. These unchecked return values can lead to undetected transfer failures, causing incorrect logic execution and potential fund mismanagement.
Vulnerability Details
The issue arises in the following lines of code:
IERC20(token).transferFrom(msg.sender, address(this), _amount)IERC20(IYieldToken(token).underlying()).transfer(msg.sender, balAfter)
Both calls return a bool indicating success. Ignoring these return values allows the function to proceed even if the transfers fail. This vulnerability aligns with the Unchecked Transfer category outlined in the Slither Detector Documentation.
Impact
High Severity:
Fund Loss: The function continues execution without verifying transfer success, potentially leading to fund mismanagement.
Broken Logic: Smart contracts relying on these transfers may fail silently, disrupting operations.
Medium Confidence: The issue is critical when interacting with non-standard or malfunctioning tokens.
Tools Used
Slither: Identified the
Unchecked Transferissue inTokenAdapterMock.unwrap.Manual Analysis: Verified the root cause and potential exploit scenarios.
Recommendations
Implement proper checks for the return values of transferFrom and transfer calls to ensure they succeed before proceeding.
Fixed Code Example
Prize pool breakdown
Live
The contest is live. Earn rewards by submitting a finding.
Appeals
This is your time to appeal against judgements on your submissions.
Appeals Review
Appeals are being carefully reviewed by our judges.