Pieces Protocol
First Flight #32
Beginner FriendlyFoundrySolidityNFT
100 EXP
View results
Previous Next
Submission Details
Severity: medium
Invalid

[M-1] In `TokenDivider::transferErcTokens`, `transferFrom` return value not checked which could lead to incorrect contract state

kagen

Description: The call to transfer tokens is not checked if it succeeded or failed.

IERC20(tokenInfo.erc20Address).transferFrom(msg.sender,to, amount);

Impact: The state variables are updated before calling this which is proper CEI.

balances[msg.sender][tokenInfo.erc20Address] -= amount;
balances[to][tokenInfo.erc20Address] += amount;

If the call to transferFrom fails then the contract would not revert, leading to incorrect balance tracking.

Recommended Mitigation: Check the return value of transferFrom.

- IERC20(tokenInfo.erc20Address).transferFrom(msg.sender,to, amount);
+ bool transferSuccess = IERC20(tokenInfo.erc20Address).transferFrom(msg.sender,to, amount);
+ if(!transferSuccess) {
+ revert TokenDivider__TransferFailed();
+ }

This same issue of not checking the result of transfer functions also occurs in TokenDivider::sellErc20 and TokenDivider::buyOrder. In sellErc20, it doesn't check the result of transferFrom and in buyOrder, it doesn't check the result of transfer.

Updates

Lead Judging Commences

fishy Lead Judge 5 months ago
Submission Judgement Published
Invalidated
Reason: Incorrect statement

Support

FAQs

Can't find an answer? Chat with us on Discord, Twitter or Linkedin.