Skip to content

Instantly share code, notes, and snippets.

@bytes032

bytes032/.md Secret

Created May 4, 2023 03:35
Show Gist options
  • Save bytes032/8964fe66f837eadfeb8eb589d4702e95 to your computer and use it in GitHub Desktop.
Save bytes032/8964fe66f837eadfeb8eb589d4702e95 to your computer and use it in GitHub Desktop.

Context: RescueFunderLib.sol

Severity: Low

Description: When using Solmate's SafeTransferLib, it is crucial to verify whether the token has any code, since the responsibility for the check is delegated to the caller.

https://github.com/transmissions11/solmate/blob/2001af43aedb46fdc2335d2a7714fb2dae7cfcd1/src/utils/SafeTransferLib.sol#L6-L9

/// @notice Safe ETH and ERC20 transfer library that gracefully handles missing return values. /// @author Solmate (https://github.com/transmissions11/solmate/blob/main/src/utils/SafeTransferLib.sol) /// @dev Use with caution! Some functions in this library knowingly create dirty bits at the destination of the free memory pointer. /// @dev Note that none of the functions in this library check that a token has code at all! That responsibility is delegated to the caller.

Even though RescueFunderLib currently doesn't use the library, when it starts using it the bug will be present.

https://github.com/SocketDotTech/socket-DL/blob/7e35397543bade26c3f1bd0b34fe69875cc3b73f/contracts/libraries/RescueFundsLib.sol#L32-L39

        if (token_ == ETH_ADDRESS) {
            (bool success, ) = userAddress_.call{value: address(this).balance}(
                ""
            );
            require(success);
        } else {
            IERC20(token_).transfer(userAddress_, amount_);
        }

Recommendation:

I'm rating it as a Low, because it falls into the bucket of

Contract fails to deliver what was promised, but no one's security is affected

https://github.com/SocketDotTech/socket-DL/blob/7e35397543bade26c3f1bd0b34fe69875cc3b73f/contracts/libraries/RescueFundsLib.sol#L25-L41

    function rescueFunds(
        address token_,
        address userAddress_,
        uint256 amount_
    ) internal {
        require(userAddress_ != address(0));
+        require(token_.code.length > 0, "RescueFundsLib: Invalid token address");

        if (token_ == ETH_ADDRESS) {
            (bool success, ) = userAddress_.call{value: address(this).balance}(
                ""
            );
            require(success);
        } else {
            IERC20(token_).transfer(userAddress_, amount_);
        }
    }
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment