Platform: Code4rena
Start Date: 25/01/2022
Pot Size: $50,000 USDT
Total HM: 17
Participants: 39
Period: 3 days
Judge: LSDan
Total Solo HM: 9
Id: 79
League: ETH
Rank: 28/39
Findings: 2
Award: $134.79
🌟 Selected for report: 0
🚀 Solo Findings: 0
🌟 Selected for report: cccz
Also found by: 0x1f8b, Dravee, TomFrenchBlockchain, UncleGrandpa925, WatchPug, bobi, byterocket, hack3r-0m, sirhashalot
hack3r-0m
https://github.com/code-423n4/2022-01-trader-joe/blob/main/contracts/LaunchEvent.sol#L4905
while withdrawing incentives, the contract does not check if erc20 transfer was successful or not, if due to minor rounding error (at 17th/18th decimal place, which is possible) and the contract does not have enough token to make the transfer and hence false is returned which is ignored.
So the user is marked claimed however transfer has failed.
Manual Review
Use SafeTransfer or TransferHelper
#0 - cryptofish7
2022-01-31T14:53:00Z
Duplicate of #12
hack3r-0m
https://github.com/code-423n4/2022-01-trader-joe/blob/main/contracts/RocketJoeFactory.sol#L133
createRJLaunchEvent is followed by initialization of launch event, the balance of launch event address is what is supplied by above mentioned safe transfer call
According to EIP20, transferFrom returns boolean
function transferFrom(address _from, address _to, uint256 _value) public returns (bool success)
If it returns false, value is not checked and execution continues, this results in the creation of the launch event successfully.
And it is harmful because the same factory cannot ever create launch event for same token again.
Manual Review
Use SafeTransfer or TransferHelper
#0 - cryptofish7
2022-01-31T00:48:52Z
Duplicate of #232
#1 - dmvt
2022-02-22T19:25:30Z
duplicate of #198