The DSCEngine
is incompatible with ERC20 that do not return a bool
.
While the ERC-20 standard defines that methods such as transferFrom
must return a bool
indicating success, the reality is that many major tokens do not, and instead just revert
on failure.
The DSCEngine
contract, however, expects the collateral tokens to return a boolean results, which can be seen in calls such as
Should a token not return a bool
, the DSCEngine
contract is unable to operate with it, as Solidity generates implicit checks that verify RETURNDATASIZE
for these calls, which revert
when it is not as expected.
This does not affect WETH and WBTC. However, the contest description mentions that The system is meant to be such that someone could fork this codebase, swap out WETH & WBTC for any basket of assets they like, and the code would work the same. In this case, this issue could arise.
None
Use OpenZeppelin's SafeERC20
library that offers methods such as safeTransferFrom
and safeTransfer
that handle optional return values, and replace all relevant calls in DSCEngine
with the OpenZeppelin implementation.
The contest is live. Earn rewards by submitting a finding.
This is your time to appeal against judgements on your submissions.
Appeals are being carefully reviewed by our judges.