Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Missing Token Length Check in TransferHelper Library #93

Open
hats-bug-reporter bot opened this issue Oct 10, 2024 · 0 comments
Open

Missing Token Length Check in TransferHelper Library #93

hats-bug-reporter bot opened this issue Oct 10, 2024 · 0 comments
Labels
bug Something isn't working invalid This doesn't seem right

Comments

@hats-bug-reporter
Copy link

Github username: @catellaTech
Twitter username: catellatech
Submission hash (on-chain): 0xab56e5f1df6625d38527ab878b25bec47379e13b1f19c6b382a5bfadc9291a23
Severity: low

Description:

Description:

The TransferHelper library, as shown below, does not verify if the token's contract code length is greater than zero before executing low-level calls in the safeTransfer, safeTransferFrom, and safeApprove functions. This issue is widely recognized in Solidity due to the risks associated with interacting with addresses that may not have valid contract code or may not be valid ERC20 tokens.

// SPDX-License-Identifier: GPL-2.0-or-later
pragma solidity >=0.6.0;

import "@openzeppelin/contracts/token/ERC20/IERC20.sol";

library TransferHelper {
    function safeTransferFrom(address token, address from, address to, uint256 value) internal {
        (bool success, bytes memory data) = token.call(abi.encodeWithSelector(IERC20.transferFrom.selector, from, to, value));
        require(success && (data.length == 0 || abi.decode(data, (bool))), "STF");
    }

    function safeTransfer(address token, address to, uint256 value) internal {
        (bool success, bytes memory data) = token.call(abi.encodeWithSelector(IERC20.transfer.selector, to, value));
        require(success && (data.length == 0 || abi.decode(data, (bool))), "ST");
    }

    function safeApprove(address token, address to, uint256 value) internal {
        (bool success, bytes memory data) = token.call(abi.encodeWithSelector(IERC20.approve.selector, to, value));
        require(success && (data.length == 0 || abi.decode(data, (bool))), "SA");
    }

    function safeTransferROSE(address to, uint256 value) internal {
        (bool success,) = to.call{ value: value }(new bytes(0));
        require(success, "STE");
    }
}

Affected Contracts:

This library is inherited by SmartRouterHelper.sol, which is then inherited by StableSwapRouter.sol. The issue arises from using low-level calls without verifying if the token address has valid contract code. This may potentially expose the protocol to vulnerabilities in future updates or contract interactions.

Impact:

  • The lack of a check for the token’s code length could allow the contract to interact with invalid or non-contract addresses, leading to unexpected failures or security vulnerabilities.

Recommendation:

To mitigate this risk, it is recommended to add a check that ensures the token address has valid contract code in the safeTransfer, safeTransferFrom, and safeApprove functions. This would prevent interactions with non-contract addresses. Below is the suggested code to include:

require(token.code.length > 0, "Invalid token address");

This should be added to the following functions:

  1. safeTransfer
  2. safeTransferFrom
  3. safeApprove
@hats-bug-reporter hats-bug-reporter bot added the bug Something isn't working label Oct 10, 2024
@omega-audits omega-audits added the invalid This doesn't seem right label Oct 13, 2024
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees
No one assigned
Labels
bug Something isn't working invalid This doesn't seem right
Projects
None yet
Milestone
No milestone
Development

No branches or pull requests
1 participant
@omega-audits