Incorrect call order of transferFrom() and rebase() in Olympus DAO forks
Description
The order of calling the transferFrom() and rebase() functions is incorrect in Olympus DAO forks, which can lead to security vulnerabilities.
Examples
Insecure Code
solidity
TOKEN.transferFrom(...); rebase();Secure Code
solidity
rebase(); TOKEN.transferFrom(...);Remediation
Reorder the function calls to ensure transferFrom() is called after rebase()
Rule Details
| Field | Value |
|---|---|
| ID | CODE-0211 |
| Category | Crypto |
| Severity | HIGH |
| CWE | CWE-841 |
| Confidence | MEDIUM |
| Impact | HIGH |
| Likelihood | LOW |
| Exploitability | MODERATE |
| Tags | Olympus DAO, rebase, transferFrom |
| OWASP | N/A |
References
- https://twitter.com/DecurityHQ/status/1699384904218202618
- https://medium.com/floordao/floor-post-mortem-incident-summary-september-5-2023-e054a2d5afa4
- https://github.com/OlympusDAO/olympus-contracts/issues/172