DeFiFoundrySolidity
16,653 OP
View results
Submission Details
Severity: low
Invalid

Missing Return Value Checks for External Calls

Description

The contract makes external calls to ERC20 transfer and approve functions without handling cases where these functions return false instead of reverting upon failure. While most ERC20 tokens revert on failure, some implementations may return false, leading to potential issues if not handled correctly.

For example:

underlying.safeApprove(router, type(uint256).max);

The SafeERC20 library from OpenZeppelin is used, which handles return values correctly for ERC20 functions. However, for custom external calls like those to the transmuter contract, return values are not checked.

transmuter.claim(_amountClaim, address(this));
transmuter.deposit(asset.balanceOf(address(this)), address(this));
transmuter.withdraw(_amount, address(this));

Impact

  • Silent Failures: If the external contract (transmuter) fails to execute the function as expected and does not revert, the absence of return value checks could lead to undetected failures.

  • Inconsistent State: The contract may assume that operations succeeded when they did not, causing misalignment in the contract's state and expected behavior.

Recommendation

  • Check Return Values of External Calls: Ensure that any external calls which do not revert on failure have their return values checked.

    bool success = transmuter.claim(_amountClaim, address(this));
    require(success, "Transmuter claim failed");
  • Use Try-Catch Blocks: For external calls that might revert, use try-catch blocks to handle exceptions.

    try transmuter.claim(_amountClaim, address(this)) {
    // Success logic
    } catch {
    revert("Transmuter claim failed");
    }
Updates

Appeal created

inallhonesty Lead Judge 8 months ago
Submission Judgement Published
Invalidated
Reason: Non-acceptable severity

Support

FAQs

Can't find an answer? Chat with us on Discord, Twitter or Linkedin.