uncheck return value [Treasury.withdraw(address,uint256,address)] ignores return value
Summary
The withdraw function in Treasury.sol calls IERC20(token).transfer(recipient, amount) without checking its return value, potentially masking a failed transfer.
Vulnerability Details
In Treasury.withdraw(address,uint256,address), the transfer call is made without verifying that it succeeded. This oversight means that if the ERC20 token’s transfer function returns false (instead of reverting on failure), the Treasury contract will assume the transfer was successful.
Impact
Ignoring the return value may lead to scenarios where funds are not actually transferred, causing discrepancies in balances and potential loss or misallocation of tokens.
If IERC20(token).transfer(recipient, amount) fails and returns false, the Treasury contract does not detect the failure, leading to an incorrect state where the Treasury believes funds were withdrawn even though they were not.
Tools Used
github
Recommendations
Always check the return value of the ERC20 transfer. For example:
Prize pool breakdown
Live
The contest is live. Earn rewards by submitting a finding.
Appeals
This is your time to appeal against judgements on your submissions.
Appeals Review
Appeals are being carefully reviewed by our judges.