15,000 USDC
View results
Submission Details
Severity: medium
Valid

Non-standard ERC20 Tokens are Not Supported

Summary

Some tokens (like USDT) don't correctly implement the EIP20 standard and their transfer/transferFrom function return void instead of a successful boolean. Calling these functions with the correct EIP20 function signatures will always revert.

Vulnerability Details

In DSCEngine.sol, depositCollateral() function uses the transferFrom() method to transfer funds from users to the contract. However, due to some ERC20 tokens' non—compliance with the standards, if a token like USDT is used as collateral, the input will return nothing instead of a boolean value. As a result, the condition checking for if(!success) where is the return value of will always be triggered and revert the transaction.

Impact

Tokens that don't correctly implement the latest EIP20 spec, like USDT, will be unusable in the protocol as they revert the transaction because of the missing return value.

Tools Used

Manual Analysis

Recommendations

I recommend using OpenZeppelin’s SafeERC20 versions with the safeTransfer and safeTransferFrom functions that handle the return value check as well as non-standard-compliant tokens.

Support

FAQs

Can't find an answer? Chat with us on Discord, Twitter or Linkedin.