Lucene search
K
Database
Vendors
Products
Years
CVSS
Scanner
Agent Scanning
API Scanning
Manual Audit
Perimeter Scanner
Scanning
Projects
Email
Webhook
Plugins
Resources
Documents
Blog
Glossary
FAQ
Pricing
Contacts
About Us
Partners
Branding Guideline
code423n4Code4renaCODE423N4:2023-01-POPCORN-FINDINGS-ISSUES-826
HistoryFeb 07, 2023 - 12:00 a.m.

Use safeTransferFrom and safeApprove foe the reward tokens in Vault Controller instead of transferFrom and approve functions

2023-02-0700:00:00
Code4rena
github.com
2
vulnerability
impact
erc20
mitigation
safeerc20
JSON

Lines of code
<https://github.com/code-423n4/2023-01-popcorn/blob/main/src/vault/VaultController.sol#L456-L457&gt;
<https://github.com/code-423n4/2023-01-popcorn/blob/main/src/vault/VaultController.sol#L526&gt;

Vulnerability details

Impact

In 3 functions return values of ERC20 contracts (either approve or transferFrom) are not checked : fundStakingRewards ; addStakingRewardsTokens and _handleInitialDeposit. This is especially dangerous in the addStakingRewardsTokens function, because in this case, the newly added reward token would be considered as one of the reward tokens, even if the return of its transferFrom function would be False. It could then be a way to steal this same token from the AdminProxy via the adminProxy.execute function which is called right after. However, impact is rather limited because caller of addStakingRewardsTokens must be the creator of the Vault or the owner and furthermore there is a check on the token which must be pre-approved via the call to _verifyToken.

Proof of Concept

If the token returns False, the ERC20-related transactions would have failed but in pratice, a call to addStakingRewardsTokens would succeed, which is not expected.

Recommended Mitigation Steps

Use the safeTransferFrom and safeApprove functions from the SafeERC20 library accordingly.

The text was updated successfully, but these errors were encountered:

All reactions

JSON