Assessment reportsPublic findings
Back to Zellic site
Assessment reports>Voyage>Low findings>Missing validation check on ERC20 ,transfer
GeneralOverview
Findings
Critical (7)
High (6)
Medium (3)
Low (5)Broken maxWithdrawPreviewBuyNow incorrect orderBlanket ERC20 approvalJunior IR interestERC20 transfer validation
Informational (1)
DiscussionCentralization riskCode maturitySlitherOracle hardeningVoyage findingsNeedsTitle
Audit ResultsSummary
Category: Business Logic

Missing validation check on ERC20 transfer

Low Severity
Informational Impact
N/A Likelihood

Description

Currently liquidate(...) does not revert the transaction if the following ERC20 transfer fails:

if (param.totalDebt > discountedFloorPriceInTotal) {
    param.remaningDebt = param.totalDebt - discountedFloorPriceInTotal;
} else {
    uint256 refundAmount = discountedFloorPriceInTotal -
        param.totalDebt;
    IERC20(param.currency).transfer(param.vault, refundAmount);
    param.receivedAmount -= refundAmount;
}

Impact

The call should never fail as the funds will always be in the account.

Recommendations

Add a check and revert on a false return value from the ERC20 transfer call.

Remediation

Commit 654a9242 was indicated as containing the remediation. The commit correctly fixes the issue by using safeTransfer instead of transfer, which does revert if the transfer fails.

Zellic © 2024Back to top ↑