Lucene search
K
Database
Vendors
Products
Years
CVSS
Scanner
Agent Scanning
API Scanning
Manual Audit
Perimeter Scanner
Scanning
Projects
Email
Webhook
Plugins
Resources
Documents
Blog
Glossary
FAQ
Pricing
Contacts
About Us
Partners
Branding Guideline
code423n4Code4renaCODE423N4:2023-07-POOLTOGETHER-FINDINGS-ISSUES-473
HistoryJul 14, 2023 - 12:00 a.m.

withdrawReserve will revert when withdrawing tokens with on chain tx fees

2023-07-1400:00:00
Code4rena
github.com
4
withdraw reserve
on-chain fees
mitigation steps
token transfer
JSON

Lines of code

Vulnerability details

Impact

Function will revert when _reserve is equal to _amount, when the token being transferred is a fee on transfer token.

Proof of Concept

function withdrawReserve(
address _to,
uint104 _amount
) external onlyDrawManager {
function withdrawReserve(
address _to,
uint104 _amount
) external onlyDrawManager {
if (_amount > _reserve) {
revert InsufficientReserve(_amount, _reserve);
}
_reserve -= _amount;
_transfer(_to, _amount); {
revert InsufficientReserve(_amount, _reserve);
}
_reserve -= _amount;
_transfer(_to, _amount);

Let’s say _reserve is is 5 and _amount is 5 when you subtract, the balance will be zero but since the token is a fee on transfer token it will revert since you’re trying to send exactly all the tokens out.

Tools Used

Manual review

Recommended Mitigation Steps

Change the function if (_amount > _reserve) to >= or implement another mitigation step that checks for fee on transfer

Assessed type

Token-Transfer

The text was updated successfully, but these errors were encountered:

All reactions

JSON