Not check the low-level call return value #41
Labels
2 (Med Risk)
Assets not at direct risk, but function/availability of the protocol could be impacted or leak value
bug
Something isn't working
duplicate-25
edited-by-warden
insufficient quality report
This report is not of sufficient quality
unsatisfactory
does not satisfy C4 submission criteria; not eligible for awards
Comments
|
raymondfam marked the issue as insufficient quality report |
|
raymondfam marked the issue as duplicate of #25 |
|
alex-ppg marked the issue as unsatisfactory: |
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
Lines of code
https://github.com/code-423n4/2024-01-decent/blob/07ef78215e3d246d47a410651906287c6acec3ef/src/UTBExecutor.sol#L67
https://github.com/code-423n4/2024-01-decent/blob/07ef78215e3d246d47a410651906287c6acec3ef/src/UTBExecutor.sol#L54
Vulnerability details
Impact
If the call fails, it will cause the user to lose funds.
Proof of Concept
If refund is a contract, the call will call the fallback logic, and the execution logic may fail, causing the user to be unable to accept refund funds.
UTBExecutor will default to the refund being successful, causing the user to lose funds.
UTBExecutor should support wrapped native token so that ERC20 tokens can be transferred even if the call fails.
Tools Used
Manual review
Recommended Mitigation Steps
Check call return value, and if the call fails, converted into wrapped native token and transfered to the refund address.
Assessed type
call/delegatecall
The text was updated successfully, but these errors were encountered: