Platform: Code4rena
Start Date: 01/07/2022
Pot Size: $75,000 USDC
Total HM: 17
Participants: 105
Period: 7 days
Judge: Jack the Pug
Total Solo HM: 5
Id: 143
League: ETH
Rank: 104/105
Findings: 1
Award: $3.41
🌟 Selected for report: 0
🚀 Solo Findings: 0
🌟 Selected for report: horsefacts
Also found by: 0x1f8b, 0x29A, 0x52, 0xf15ers, AlleyCat, Ch_301, Chom, Franfran, IllIllI, Kaiziron, Limbooo, Meera, Ruhum, Sm4rty, apostle0x01, berndartmueller, cccz, cloudjunky, codexploder, cryptphi, delfin454000, durianSausage, fatherOfBlocks, hake, hansfriese, hyh, jonatascm, m_Rassska, oyc_109, peritoflores, rajatbeladiya, rbserver, svskaushik, zzzitron
3.4075 USDC - $3.41
https://github.com/jbx-protocol/juice-contracts-v2-code4rena/blob/828bf2f3e719873daa08081cfa0d0a6deaa5ace5/contracts/JBERC20PaymentTerminal.sol#L81-L89 https://github.com/jbx-protocol/juice-contracts-v2-code4rena/blob/828bf2f3e719873daa08081cfa0d0a6deaa5ace5/contracts/abstract/JBPayoutRedemptionPaymentTerminal.sol#L349 https://github.com/jbx-protocol/juice-contracts-v2-code4rena/blob/828bf2f3e719873daa08081cfa0d0a6deaa5ace5/contracts/abstract/JBPayoutRedemptionPaymentTerminal.sol#L555 https://github.com/jbx-protocol/juice-contracts-v2-code4rena/blob/828bf2f3e719873daa08081cfa0d0a6deaa5ace5/contracts/abstract/JBPayoutRedemptionPaymentTerminal.sol#L772 https://github.com/jbx-protocol/juice-contracts-v2-code4rena/blob/828bf2f3e719873daa08081cfa0d0a6deaa5ace5/contracts/abstract/JBPayoutRedemptionPaymentTerminal.sol#L885 https://github.com/jbx-protocol/juice-contracts-v2-code4rena/blob/828bf2f3e719873daa08081cfa0d0a6deaa5ace5/contracts/abstract/JBPayoutRedemptionPaymentTerminal.sol#L965
There are multiple external calls to IERC20.transfer() and IERC20.transfer() in contracts that suppose to transfer out tokens from/to the system. However, there are tokens like USDT that don't return any return value in their implementation of the transfer() function, so calling IERC20.transfer() on them will cause the transaction a revert (a kind of DoS - the funds are stuck at the contract).
In addition, tokens which do return a return value in their implementation of the transfer() function should return whether the transfer succeeded of failed, but that return value is not checked in the contract. This can lead to the caller not being debited when calling the pay function or could lead to false events
Multiple functions in JBPayoutRedemptionPaymentTerminal contract are affected due to the use of the unsafe transfer or transferFrom call inherited from JBERC20PaymentTerminal contract
JBERC20PaymentTerminal._transferFrom() makes the unsafe transfer() or transferFrom() calls, this internal function are affects JBPayoutRedemptionPaymentTerminal contract in the following functions: pay() addToBalanceOf() _redeemTokensOf() _distributePayoutsOf() _useAllowanceOf()
Manual review
Use OpenZeppelin's SafeERC20.safeTransfer() and SafeERC20.safeTransfer() functions instead.
#0 - drgorillamd
2022-07-12T18:29:21Z
Duplicate of #281