Handle

sirhashalot

Vulnerability details

Impact

The safeSymbol() function, found in the SafeMetadata.sol contract and called in 4 Timeswap Convenience contracts in the symbol() functions, can cause a revert. This could make the 4 contracts not compliant with the ERC20 standard for certain asset pairs, because the symbol() function should return a string and not revert.

The root cause of the issue is that the safeSymbol() function assumes the return type of any ERC20 token to be a string. If the return value is not a string, abi.decode() will revert, and this will cause the symbol() functions in the Timeswap ERC20 contracts to revert.

Because this is known to cause issues with tokens that don’t fully follow the ERC20 spec, the safeSymbol() function in the BoringCrypto library has a fix for this. The BoringCrypto safeSymbol() function is similar to the one in Timeswap but it has a returnDataToString() function that handles the case of a bytes32 return value for a token name:
<https://github.com/boringcrypto/BoringSolidity/blob/ccb743d4c3363ca37491b87c6c9b24b1f5fa25dc/contracts/libraries/BoringERC20.sol#L15-L39&gt;

Proof of Concept

The root cause is line 20 of the safeSymbol() function in SafeMetadata.sol

The safeSymbol() function is called in:

• Bond.sol
• CollateralizedDebt.sol
• Insurance.sol
• Liquidity.sol

Recommended Mitigation Steps

Use the BoringCrypto safeSymbol() function code with the returnDataToString() parsing function to handle the case of a bytes32 return value:
<https://github.com/boringcrypto/BoringSolidity/blob/ccb743d4c3363ca37491b87c6c9b24b1f5fa25dc/contracts/libraries/BoringERC20.sol#L15-L39&gt;

The text was updated successfully, but these errors were encountered:

All reactions