Skip to content
This repository has been archived by the owner on May 26, 2023. It is now read-only.

Latest commit

 

History

History
25 lines (20 loc) · 1.04 KB

019.md

File metadata and controls

25 lines (20 loc) · 1.04 KB
Raw

Kodyvim

medium

UNHANDLED RETURN VALUES OF TRANSFERFROM

Summary

Call from transferFrom and transfer does not revert on failure so should be checked.

Vulnerability Detail

ERC implementations are not always consistent. Some implementations of transfer and transferFrom could return ‘false’ on failure instead of reverting. It is safer to wrap such calls into require() statements to these failures. https://github.com/sherlock-audit/2023-01-optimism/blob/main/optimism/packages/contracts-bedrock/contracts/L1/L1ERC721Bridge.sol#L101

Impact

The L1ERC721Bridge contract uses transferFrom to lock nft by transferring the nft from the user to the bridge contract. it's possible the call would fail silently.

Code Snippet

       // Lock token into bridge
        deposits[_localToken][_remoteToken][_tokenId] = true;
        IERC721(_localToken).transferFrom(_from, address(this), _tokenId);

Tool used

Manual Review

Recommendation

Check the return value and revert on 0/false or use OpenZeppelin’s SafeERC wrapper functions.