Skip to content

canTransfer/canTransferFrom don't check ERC-20 balance #336

New issue
New issue
Open
Open
canTransfer/canTransferFrom don't check ERC-20 balance#336
Labels
enhancementNew feature or request
@rya-sge

Description

@rya-sge
rya-sge
opened on Nov 20, 2025

The pre‑flight checks only consider "active" balance when some tokens are frozen; if no tokens are frozen, the activebalance check always returns true, and the functions do not verify total balance. This can yield true while a real
transfer reverts due to insufficient ERC‑20 balance.

While it is intended, we may want to change this in the future

// contracts/modules/internal/ERC20EnforcementModuleInternal.sol
function _checkActiveBalance(address from, uint256 value) internal view returns(bool){
 uint256 frozenTokensLocal = _getFrozenTokens(from);
 if(frozenTokensLocal > 0 ){
 uint256 activeBalance = ERC20Upgradeable.balanceOf(from) - frozenTokensLocal;
 if(value > activeBalance) {
 return false; // Only enforced when some tokens are frozen
 }
 }
 return true; // No check at all when frozenTokensLocal == 0
}

Reported by Nethermind AuditAgent

Metadata

Metadata

Assignees

No one assigned

    Labels

    enhancementNew feature or request

    Type

    No type

    Projects

    No projects

    Milestone

    No milestone

    Relationships

    None yet

    Development

    No branches or pull requests

    Issue actions