Code4renaCODE423N4:2023-01-POPCORN-FINDINGS-ISSUES-810Unsafe token transfer in MultiRewardStaking and VaultController contracts
Lines of code
<https://github.com/code-423n4/2023-01-popcorn/blob/d95fc31449c260901811196d617366d6352258cd/src/vault/VaultController.sol#L457>
<https://github.com/code-423n4/2023-01-popcorn/blob/d95fc31449c260901811196d617366d6352258cd/src/vault/VaultController.sol#L526>
Vulnerability details
Impact
The vulnerability in the MultiRewardStaking and VaultController contracts lies in the usage of the transfer and transferFrom functions, which does not provide the safety checks for the transfer of tokens, especially since the reward token can have arbitrary implementation. If the recipient contract does not have a function to handle the incoming tokens, it can result in the loss of tokens.
Proof of Concept
_rewardTokens[i].transfer(user, rewardAmount);
IERC20(rewardsToken).transferFrom(msg.sender, address(adminProxy), amount);
rewardTokens[i].transferFrom(msg.sender, address(this), amounts[i]);
Tools Used
Manual analysis
Recommended Mitigation Steps
The recommended solution is to use the safeTransfer and safeTransferFrom functions from OpenZeppelinβs contracts library, which provide the necessary safety checks to ensure the transfer of tokens is successful and secure.
The text was updated successfully, but these errors were encountered:
All reactions