Submission Details
Severity:
Unsafe use of `transfer()`/`transferFrom()` with `IERC20`
Summary
Unsafe use of transfer()/transferFrom() with IERC20
Vulnerability Details
Some tokens do not implement the ERC20 standard properly but are still accepted by most code that accepts ERC20 tokens. For example Tether (USDT)'s transfer() and transferFrom() functions on L1 do not return booleans as the specification requires, and instead have no return value. When these sorts of tokens are cast to IERC20, their function signatures do not match and therefore the calls made, revert (see this link for a test case).
Code Snippet
File: Lender.sol
152: IERC20(p.loanToken).transferFrom(
153: p.lender,
154: address(this),
155: p.poolBalance - currentBalance
156: );
157: } else if (p.poolBalance < currentBalance) {
158: // if new balance < current balance then transfer the difference back to the lender
159: IERC20(p.loanToken).transfer(
160: p.lender,
161: currentBalance - p.poolBalance
162: );
163: }
File: Lender.sol
267: IERC20(loan.loanToken).transfer(feeReceiver, fees);
268: // transfer the loan tokens from the pool to the borrower
269: IERC20(loan.loanToken).transfer(msg.sender, debt - fees);
270: // transfer the collateral tokens from the borrower to the contract
271: IERC20(loan.collateralToken).transferFrom(
272: msg.sender,
273: address(this),
274: collateral
275: );
Impact
Tools Used
Manual
Recommendations
Use OpenZeppelin’s SafeERC20's safeTransfer()/safeTransferFrom() instead
Prize pool breakdown
Total prize
20,000 USDC
nSLOC
70628 USDC / LOC
18,000 USDC
2,000 USDC
Live
The contest is live. Earn rewards by submitting a finding.
Appeals
This is your time to appeal against judgements on your submissions.
Appeals Review
Appeals are being carefully reviewed by our judges.