Context: RescueFunderLib.sol
Severity: Low
Description: When using Solmate's SafeTransferLib, it is crucial to verify whether the token has any code, since the responsibility for the check is delegated to the caller.
/// @notice Safe ETH and ERC20 transfer library that gracefully handles missing return values. /// @author Solmate (https://github.com/transmissions11/solmate/blob/main/src/utils/SafeTransferLib.sol) /// @dev Use with caution! Some functions in this library knowingly create dirty bits at the destination of the free memory pointer. /// @dev Note that none of the functions in this library check that a token has code at all! That responsibility is delegated to the caller.
Even though RescueFunderLib currently doesn't use the library, when it starts using it the bug will be present.
if (token_ == ETH_ADDRESS) {
(bool success, ) = userAddress_.call{value: address(this).balance}(
""
);
require(success);
} else {
IERC20(token_).transfer(userAddress_, amount_);
}Recommendation:
I'm rating it as a Low, because it falls into the bucket of
Contract fails to deliver what was promised, but no one's security is affected
function rescueFunds(
address token_,
address userAddress_,
uint256 amount_
) internal {
require(userAddress_ != address(0));
+ require(token_.code.length > 0, "RescueFundsLib: Invalid token address");
if (token_ == ETH_ADDRESS) {
(bool success, ) = userAddress_.call{value: address(this).balance}(
""
);
require(success);
} else {
IERC20(token_).transfer(userAddress_, amount_);
}
}