PeripheryPayments Manual Review Findings

PPS-01M: Incorrect Transfer of Funds

Type	Severity	Location
Standard Conformity		PeripheryPayments.sol:L62

Description:

The PeripheryPayments::pay function will bypass the special IHederaTokenService transfer style of the TransferHelper and perform a direct ERC20::transfer on the whbar token.

Impact:

Transfers performed by utilizing the active balance of the router may fail to be properly processed as they interact with the EIP-20 contract directly rather than through the IHederaTokenService.

Example:

Copy
59if (token == whbar && address(this).balance >= value) {
60    // pay with whbar
61    IWHBAR(WHBAR).deposit{value: value}(); // wrap only what is needed to pay
62    IERC20(whbar).transfer(recipient, value);
63} else if (payer == address(this)) {

Recommendation:

We advise the code to instead utilize the TransferHelper, ensuring transfers are performed in full compliancy with the Hedera Protocol ecosystem.

Alleviation (d8d187efd1fa23b943c82694aaaccb5b9e427096):

After discussions with the SaucerSwap team and inspection of the Hedera Improvement Proposals and specifically HIP-218 and HIP-376, we have concluded that a direct invocation of ERC20::transfer is equivalent to an invocation of a transfer via the HederaTokenService.

As such, we consider this exhibit nullified.