[Treasury.deposit(address,uint256)] ignores return value
Summary
The deposit function in Treasury.sol ignores the return value of the ERC20 transferFrom call, which can lead to incorrect state updates if the token transfer fails.
Vulnerability Details
Within the deposit function the following call is made without checking its return value:
If this call fails (i.e., returns false), the contract will proceed as if the tokens were successfully transferred, resulting in a discrepancy between recorded deposits and actual token balances.
Impact
inconsistent State: The Treasury may record deposits without actually receiving tokens.
Financial Risk: Users might lose funds or not receive the expected benefits, as the contract's balance becomes inaccurate.
This vulnerability is likely to manifest when interacting with ERC20 tokens that return false on failure rather than reverting, which is a common behavior among non-standard implementations.
An attacker (or even a regular user) could exploit this by depositing tokens from a token contract where transferFrom fails silently (returns false). The Treasury contract would record a deposit even though no tokens were received, leading to misallocated funds.
Tools Used
github
Recommendations
Always verify the return value of the transferFrom call. For example, modify the code as follows:
This ensures that the function reverts if the token transfer fails, maintaining consistency in the contract's state.
Prize pool breakdown
Live
The contest is live. Earn rewards by submitting a finding.
Appeals
This is your time to appeal against judgements on your submissions.
Appeals Review
Appeals are being carefully reviewed by our judges.