Platform: Code4rena
Start Date: 27/10/2022
Pot Size: $33,500 USDC
Total HM: 8
Participants: 96
Period: 3 days
Judge: kirk-baird
Total Solo HM: 1
Id: 176
League: ETH
Rank: 60/96
Findings: 1
Award: $19.64
🌟 Selected for report: 0
🚀 Solo Findings: 0
🌟 Selected for report: robee
Also found by: 0x007, 0x1f8b, 0x52, 0xDjango, 0xNazgul, 0xSmartContract, 8olidity, Awesome, B2, Bnke0x0, Chom, Diana, Dravee, JTJabba, Jeiwan, Josiah, Lambda, Mathieu, Picodes, RaoulSchaffranek, RaymondFam, RedOneN, ReyAdmirado, Rolezn, Ruhum, Sm4rty, Tricko, Trust, Waze, __141345__, a12jmx, adriro, ajtra, brgltd, c3phas, carlitox477, cccz, ch0bu, chaduke, chrisdior4, corerouter, cryptonue, csanuragjain, ctf_sec, cylzxje, delfin454000, dic0de, djxploit, horsefacts, imare, jayphbee, jwood, ktg, ladboy233, leosathya, lukris02, minhtrng, neko_nyaa, oyc_109, pashov, peritoflores, rbserver, rvierdiiev, shark, tnevler, yixxas
19.6449 USDC - $19.64
https://github.com/code-423n4/2022-10-paladin/blob/main/contracts/WardenPledge.sol#L653
If the user has no intention to send 100 tokens that charge fees to the contract, at this time the administrator wants to take these tokens out, but the tokens will charge 10% commission, but because the code is written to send the full balance, then the contract does not have enough tokens to pay fees, resulting in the administrator can never take out
function recoverERC20(address token) external onlyOwner returns(bool) { if(minAmountRewardToken[token] != 0) revert Errors.CannotRecoverToken(); uint256 amount = IERC20(token).balanceOf(address(this)); if(amount == 0) revert Errors.NullValue(); IERC20(token).safeTransfer(owner(), amount); return true; }
vscode
Example Add a token whitelist
#0 - Kogaroshi
2022-10-31T19:43:14Z
Issue similar to #27, see their for response.
#1 - kirk-baird
2022-11-10T20:55:51Z
I'm going to downgrade this to QA. The way transfer(to, amount) works on FoT tokens is that the sender will be deducted amount and the receiver will receive amount - fee. See this contract of an example. So I don't believe there will be an issue recovering FoT tokens from this contract.
Hence, calling transfer() with the entire balance for FoT tokens is ok.
However, it may be desirable to only transfer out a certain portion of tokens sometimes e.g. if a portion of the tokens are locked OR there is a unique implementation of FoT. So I'll leave this as QA.
#2 - c4-judge
2022-11-10T20:56:08Z
kirk-baird changed the severity to QA (Quality Assurance)
#3 - c4-judge
2022-11-11T23:58:55Z
kirk-baird marked the issue as grade-b