Stratax Contracts
First Flight #57
Beginner FriendlyDeFi
100 EXP
View all submissions
Previous Next
Submission Details
Impact: medium
Likelihood: medium

transferFrom Return Value Not Checked When Pulling Collateral

Author Revealed upon completion

transferFrom Return Value Not Checked When Pulling Collateral

Description:
Stratax::createLeveragedPosition pulls user collateral using IERC20.transferFrom but does not verify the transfer succeeded:

function createLeveragedPosition(
address _flashLoanToken,
uint256 _flashLoanAmount,
uint256 _collateralAmount,
address _borrowToken,
uint256 _borrowAmount,
bytes calldata _oneInchSwapData,
uint256 _minReturnAmount
) public onlyOwner {
require(_collateralAmount > 0, "Collateral Cannot be Zero");
// Transfer the user's collateral to the contract
@> IERC20(_flashLoanToken).transferFrom(msg.sender, address(this), _collateralAmount);
FlashLoanParams memory params = FlashLoanParams({
...
}

Some ERC20 tokens return false on failure instead of reverting. Ignoring the return value can cause the function to continue execution even if the transfer failed (or appear to fail in non-standard ways), leading to unexpected behavior when later steps assume collateral was received.

Impact:
Medium. If collateral is not actually transferred in, subsequent protocol actions may revert later (harder to diagnose) or operate under invalid assumptions, breaking the open-position flow and potentially causing funds/operations to get stuck mid-transaction (depending on downstream calls).

Recommended Mitigation:
At minimum, check the returned boolean (note: this does not cover tokens that do not return a bool):

- IERC20(_flashLoanToken).transferFrom(msg.sender, address(this), _collateralAmount);
+ bool ok = IERC20(_flashLoanToken).transferFrom(msg.sender, address(this), _collateralAmount);
+ require(ok, "transferFrom failed");

Support

FAQs

Can't find an answer? Chat with us on Discord, Twitter or Linkedin.

Give us feedback!