Protocol may lose fund due to don't check the ERC20 token transfer return value
Vulnerability Details
The conrtacts dont judge the return value when transfer ERC20 tokens, which maybe transfer failed and return false. But the contracts dont check the return value is ture or not. Besides, some tokens is incompatible with ERC20(like USDT) will return void instead of bool. Protocol need to guarantee the transfer result is successful or not.
For exmaple, addToPool function of Lender contract use IERC20(pools[poolId].loanToken).transferFrom but dont check the return value, if the transferFrom function return false but protocol think it is successful and will update the pool's balance, which will also increase the owner of pool balance.
Impact
ERC20 tokens transfer maybe failed and lose protocol's fund because protocol dont check the ERC20 transfer return value.
Tools Used
vscode, Manual Review
Recommendations
Use OpenZeppelin’s SafeERC20 as IERC20, safeTransfer and safeTransferFrom functions that handle the return value check as well as non-standard-compliant tokens.
Prize pool breakdown
Live
The contest is live. Earn rewards by submitting a finding.
Appeals
This is your time to appeal against judgements on your submissions.
Appeals Review
Appeals are being carefully reviewed by our judges.