Incorrect error parameters in _unfreezeTokens #329
Description
Version affected: v3.0.0
Deployment version: All except the light version
Severity: Low
Fix: v3.1.0
Reported by: Nethermind Audit Agent
The _unfreezeTokens function in ERC20EnforcementModuleInternal.sol performs a check to ensure the value of
tokens being unfrozen does not exceed the account's balance. If the check fails, it reverts with an
ERC20InsufficientBalance error.
However, the parameters passed to this error are incorrect.
The standard OpenZeppelin ERC20InsufficientBalance error is defined as
error ERC20InsufficientBalance(address sender, uint256 balance, uint256 needed).
The sender should be the account with the insufficient balance, and needed should be the required amount.
The current implementation reverts with revert ERC20InsufficientBalance(_msgSender(), balance, value-balance) .
This is incorrect for two reasons:
- The sender is passed as _msgSender() , which is the enforcer role, not the account ( from ) whose balance isinsufficient.
- The needed amount is passed as value-balance , which is the shortfall, not the total value required.
Code snippet from _unfreezeTokens :
function _unfreezeTokens(address from, uint256 value, bytes memory data) internal
virtual{
uint256 balance = ERC20Upgradeable.balanceOf(from);
if(value > balance){
revert ERC20InsufficientBalance(_msgSender(), balance, value-balance);
}
// ...
}
This incorrect error reporting can mislead off-chain tooling and developers trying to debug failed transactions.
The correct call should be revert ERC20InsufficientBalance(from, balance, value); .