15,000 USDC
View results
Submission Details
Severity: medium
Valid

Unsafe use of transfer()/transferFrom() with IERC20

Summary

Unsafe use of transfer()/transferFrom() with IERC20

Vulnerability Details

Some tokens do not implement the ERC20 standard properly but are still accepted by most code that accepts ERC20 tokens. For example Tether (USDT)'s transfer() and transferFrom() functions on L1 do not return booleans as the specification requires, and instead have no return value. When these sorts of tokens are cast to IERC20, their function signatures do not match and therefore the calls made, revert. Use OpenZeppelin’s SafeERC20's safeTransfer()/safeTransferFrom() instead

bool success = IERC20(tokenCollateralAddress).transfer(to, amountCollateral);

Impact

this will cause a loss of fund for the user .

Tools Used

manual review

Recommendations

Use OpenZeppelin’s SafeERC20's safeTransfer()/safeTransferFrom() instead

bool success = IERC20(tokenCollateralAddress).safeTransfer(to, amountCollateral);

Support

FAQs

Can't find an answer? Chat with us on Discord, Twitter or Linkedin.