The withdraw
function in Treasury.sol
calls IERC20(token).transfer(recipient, amount)
without checking its return value, potentially masking a failed transfer.
In Treasury.withdraw(address,uint256,address)
, the transfer call is made without verifying that it succeeded. This oversight means that if the ERC20 token’s transfer
function returns false (instead of reverting on failure), the Treasury contract will assume the transfer was successful.
Ignoring the return value may lead to scenarios where funds are not actually transferred, causing discrepancies in balances and potential loss or misallocation of tokens.
If IERC20(token).transfer(recipient, amount)
fails and returns false, the Treasury contract does not detect the failure, leading to an incorrect state where the Treasury believes funds were withdrawn even though they were not.
github
Always check the return value of the ERC20 transfer. For example:
The contest is live. Earn rewards by submitting a finding.
This is your time to appeal against judgements on your submissions.
Appeals are being carefully reviewed by our judges.