ERC20 return values not checked in `
Summary
There are over 20 instances of transfer/transferFrom() in Lender.sol and none of their return values are checked
Vulnerability Detail
The ERC20.transfer() and ERC20.transferFrom() functions return a boolean value indicating success. This parameter needs to be checked for success. Some tokens (like USDT) don't correctly implement the EIP20 standard, some tokens do not revert if the transfer failed but return false instead.
Since the beedle.fi protocol would allow multiple ERC20 tokens as the loanTokens. This should be taken into account and correctly mitigated against.
Impact
Tokens that don't actually perform the transfer and return false are still counted as a correct transfer.
Tool used
Manual Audit
Recommendation
We recommend checking the success boolean of all .transfer calls for the unknown token contract or better use OpenZeppelin’s SafeERC20 versions with the safeTransfer functions that handle the return value check as well as non-standard-compliant tokens. Also, it is recommended to check the ERC20.approve return value as well.
Additional Note
For further information check out these links:
Prize pool breakdown
Live
The contest is live. Earn rewards by submitting a finding.
Appeals
This is your time to appeal against judgements on your submissions.
Appeals Review
Appeals are being carefully reviewed by our judges.