Summary

The buyOrder function calls IERC20(order.erc20Address).transfer to transfer ERC20 tokens but does not provide a descriptive revert error if the transfer fails. This can lead to silent failures, making it difficult to diagnose issues and potentially leaving the contract in an inconsistent state. Funds are indirectly at risk if the transfer fails silently, and users may lose funds without a clear error message.

Vulnerability Details

In the buyOrder function, the transfer call is used to transfer ERC20 tokens to the buyer. However, the function does not check the return value of transfer or provide a descriptive revert error if the transfer fails. This can result in silent failures, where the contract state (e.g., balances and sell orders) is updated even though the token transfer was unsuccessful.

Impact

Medium Impact: Funds are indirectly at risk if the transfer fails silently. The contract's state (balances and sell orders) may become inconsistent if the transfer fails but the state is already updated.

State Inconsistency: Users may lose funds if the transfer fails without a clear error message, and the contract state may not reflect the actual token balances.

Diagnostic Challenges: Silent failures make it difficult to diagnose issues, leading to poor user experience and potential financial losses.

Tools Used

Manual Review, Foundry

Recommendations

Add a descriptive revert error to handle transfer failures and ensure the contract state remains consistent. For example: