Submission Details
Severity:
Fake or Malicious ERC20 Tokens in sellErc20
Summary
The contract does not verify the legitimacy of ERC20 tokens before interacting with them, allowing malicious sellers to introduce fake or malicious tokens. This could lead to misleading users or executing unexpected behaviors during token transfers.
Vulnerability Details
Impact
1. Security Risks: Users might interact with tokens that are not what they seem, potentially leading to theft or loss.
2. Reputation Damage: Trust in the platform could be undermined if users encounter issues with token interactions.
3. User Confusion: If fake tokens are listed, users might mistakenly buy or interact with them, leading to poor user experience.
Tools Used
Manual Review
Recommendations
Add token validation checks before any ERC20 interaction:
Code Snippet:
```solidity
function validateToken(address token) internal view returns (bool) {
IERC20 erc20 = IERC20(token);
try erc20.balanceOf(address(this)) returns (uint256) {
return true;
} catch {
return false;
}
}
function sellErc20(address nftPegged, uint256 price, uint256 amount) external {
// ... existing checks ...
require(validateToken(tokenInfo.erc20Address), "Invalid or malicious token");
// ... rest of the function ...
}
```
Rewards breakdown
nSLOC
181This contest has a flat reward structure with the following payouts:
100 EXP
20 EXP
2 EXP
Live
The contest is live. Earn rewards by submitting a finding.
Appeals
This is your time to appeal against judgements on your submissions.
Appeals Review
Appeals are being carefully reviewed by our judges.