L-04. Transfer Limit of UNI Tokens May Lead to a DoS and Token Loss Risk

Submitted by ro1sharkm, SupaRoutis, Jeffauditor. Selected submission by: ro1sharkm.

Relevant GitHub Links

https://github.com/Cyfrin/2023-10-SteadeFi/blob/0f909e2f0917cb9ad02986f631d622376510abec/contracts/strategy/gmx/GMXWithdraw.sol#L193-L194

https://github.com/Cyfrin/2023-10-SteadeFi/blob/0f909e2f0917cb9ad02986f631d622376510abec/contracts/strategy/gmx/GMXWithdraw.sol#L47-L52

https://github.com/Cyfrin/2023-10-SteadeFi/blob/0f909e2f0917cb9ad02986f631d622376510abec/contracts/strategy/gmx/GMXEmergency.sol#L191-L192

Summary

Users who accumulate more than 2^96 UNI tokens may lose their tokens because transfers above that will always revert.

Vulnerability Details

The UNI token contract imposes a transfer limit, restricting the maximum amount of tokens that can be transferred in a single transaction to 2^96 UNI tokens. Any transfer exceeding this threshold will trigger a transaction revert. The contract relies on the balanceOf function to verify the sender's token balance before proceeding with a transfer.

plain text
self.tokenA.safeTransfer(self.withdrawCache.user, self.tokenA.balanceOf(address(this)));

such a transfer will always revert for balances above 2^96 UNI tokens

https://github.com/d-xo/weird-erc20#revert-on-large-approvals--transfers

Impact

Users who accumulate more than 2^96 UNI tokens may lose their tokens due to a DOS revert when attempting to withdraw their token balance.

Tools Used

https://github.com/d-xo/weird-erc20#revert-on-large-approvals--transfers

Recommendations

Contracts should always check the amount of UNI being transferred before processing the transaction.