Use `safeTransfer()`/`safeTransferFrom()` instead of `transfer()`/`transferFrom()`.
Summary
Use safeTransfer()/safeTransferFrom() instead of transfer()/transferFrom().
Vulnerability Details
Some tokens do not implement the ERC20 standard properly but are still accepted by most code that accepts ERC20 tokens. For example Tether (USDT)'s transfer() and transferFrom() functions on L1 do not return booleans as the specification requires, and instead have no return value. When these sorts of tokens are cast to IERC20, their function signatures do not match and therefore the calls made, revert (see this link for a test case).
transfer()/transferFrom() are used in a lot of functions on the following contracts: Staking.sol, Lender.sol, Fees.sol and Beedle.sol, which links I've provided on the Relevant GitHub links section.
Impact
Tokens that don't actually perform the transfer and return false are still counted as a correct transfer.
Furthermore, tokens that do not correctly implement the EIP20 standard, like USDT which does not return a success boolean, will revert.
Tools Used
Manual review
Recommendations
Use OpenZeppelin’s SafeERC20's safeTransfer()/safeTransferFrom()
Prize pool breakdown
Live
The contest is live. Earn rewards by submitting a finding.
Appeals
This is your time to appeal against judgements on your submissions.
Appeals Review
Appeals are being carefully reviewed by our judges.