Incorrect implementation of ERC-677 #30
Labels
3 (High Risk)
Assets can be stolen/lost/compromised directly
bug
Something isn't working
low quality report
This report is of especially low quality
unsatisfactory
does not satisfy C4 submission criteria; not eligible for awards
Lines of code
https://github.com/code-423n4/2023-04-frankencoin/blob/f86279e76fd9f810d2a25243012e1be4191a547e/contracts/ERC20.sol#L162
Vulnerability details
Impact
The implementation of ERC677 leads to the following issues:
transferAndCall
to transfer tokens to a regular user.false
, which means they failed to process the token reception, the tokens will still end up on their contract since there is no check for the result of theonTokenTransfer
call, which leads to a loss of the very essence of using this standard.Proof of Concept
The full implementation of the contract is as follows:
https://github.com/code-423n4/2023-04-frankencoin/blob/f86279e76fd9f810d2a25243012e1be4191a547e/contracts/ERC20.sol#L162
Here we can see that there is no possibility of transferring tokens through this method to a regular user(since a simple user cannot handle the
onTokenTransfer
call), and the result of the 'onTokenTransfer' call is not checked, leading to a situation where tokens are sent in L163 but not accepted in L165, which may result in their being locked on the recipient's contract.Links on the resource side:
Tools Used
Recommended Mitigation Steps
The text was updated successfully, but these errors were encountered: