Category: Coding Mistakes
Erroneous token transfer direction in the UpdateTokenShares
function
High Severity
High Impact
High Likelihood
Description
The updateTokenShares
function is intended to be called by the contract owner to update the Merkle root representing users' percentage claims to a token, list tokens available for claim, and claimable amounts. However, due to a mistake, this function tries to transfer tokens from the contract to the owner, instead of allowing the owner to send tokens to the contract for users to claim.
function updateTokenShares(bytes32 merkleRoot, address[] calldata tokens, uint256[] calldata amounts)
external
onlyOwner
{
if (merkleRoot.length == 0 || tokens.length == 0 || tokens.length != amounts.length) revert InvalidInput();
uint256 length = tokens.length;
uint256 i;
while (i < length) {
IERC20(tokens[i]).safeTransfer(msg.sender, amounts[i]);
unchecked { i++; }
}
_setTokenShares(merkleRoot, tokens, amounts);
}
Impact
This functionality does not work because, as a result of an error, the owner cannot send tokens to the contract so that users can withdraw them later.
Recommendations
Modify the updateTokenShares
function to transfer tokens from msg.sender
to the contract address as shown below:
function updateTokenShares(bytes32 merkleRoot, address[] calldata tokens, uint256[] calldata amounts)
external
onlyOwner
{
...
IERC20(tokens[i]).safeTransferFrom(msg.sender, address(this), amounts[i]);
...
Remediation
This issue has been acknowledged by SAX, and a fix was implemented in commit b5651803↗.