Assessment reportsPublic findings
Back to Zellic site
Assessment reports>Nukem Loans>Discussion>SaferERC20 additional checks
GeneralOverview
Findings
Critical (3)
High (3)
Medium (2)
Low (1)
DiscussionInitializer called in constructorBorrowing on behalf of the Market contractPotential storage-collision issueSaferERC20 additional checksEIP-712 implementationMarket setters should only be called onceUtilizing eth-brownie for testingCentralizationAMM oracle pricing
Threat ModelWhat are threat models?AbstractSwapper.solAuctions.solCollateral.solCredit.solDebt.solEIP712.solERC20Base.solERC20Permit.solEnFi4626.solLendingStrategy.solMarket.solProxyManager.solRoles.solSaferERC20.solUniswapV2Swapper.sol
Audit ResultsSummary

SaferERC20 additional checks

The SaferERC20 contract handles sending both ERC-20 and native tokens. It does that through an if-else statement, where it checks if the token that is being sent is the native token, and if so, it checks that the value sent is enough.

However, it does not check that msg.value is zero in case the token is not the native token. This means that if a user intends to perform an operation where they are using a non-native token and by mistake send some native tokens (i.e., msg.value > 0), the operation will still be performed and the native tokens will be lost.

An example is the safeTransferToSelf function:

function safeTransferToSelf(IERC20 token, uint256 value) internal returns (uint256) {
    if(address(token) == address(0xFFfFfFffFFfffFFfFFfFFFFFffFFFffffFfFFFfF)) {
        require(msg.value >= value, "insuff.eth");
        uint256 dust = msg.value - value;
        if(dust > 0) {
            payable(msg.sender).transfer(dust);
        }
        return value;
    }
    else {
+       require(msg.value == 0, "SaferERC20: cannot transfer value with ether");
        require(token.allowance(msg.sender, address(this)) >= value, "insuff.approval");
        return safeTransferFromWithAmount(token, msg.sender, address(this), value);
    }
}

Similarly, all the other functions that handle sending tokens should check that msg.value is zero in case the token is not the native token.

Zellic © 2023Back to top ↑