use safeTransfer()/safeTransferaFrom() instead of transfer()/transferFrom()
Summary
Protocol uses transfer() and transferFrom() functionality for on ERC20 tokens which does not have return value check unlike safeTransfer() and safeTransferFrom() from openzepplines safeERC20 library.
As result many token transfer will silently fail contrary to protocols assumption.
Vulnerability Details
In the ERC20 standard, some tokens do not follow the convention of reverting the transaction when a transfer fails. Instead, they return a boolean value to indicate that the transfer has failed.
As a result ERC20 transfer() / transferFrom() will silently fail, leaving protocol under assumption succeded.
consider scenario where borrower calls borrow() function, following transferFrom() silently fails, protocols thinks it has lock the collateral, but in reality it has not.
same can be said for the transfer() transactions.
Impact
if left unfixed and such (non-reverting) token are to be used, it can be break the overall functioning of protocol.
Tools Used
Manual Review
Recommendations
OpenZeppelin's SafeERC20 is a contract library designed to provide a secure implementation of ERC20 transfer functions. It ensures that token transfers are handled correctly, even for tokens that return false upon failure.
Prize pool breakdown
Live
The contest is live. Earn rewards by submitting a finding.
Appeals
This is your time to appeal against judgements on your submissions.
Appeals Review
Appeals are being carefully reviewed by our judges.