Missing checks for successful transfer can lead to silent failures and wrong accounting
Summary
Missing checks for successful transfer on EIP-20 compliant tokens can lead to silent failures and wrong accounting
Vulnerability Details
Openzeppelin's IERC20 interface is compliant to EIP-20 specification. Which means the transfer function of this interface returns a bool which can be used to check whether the transfer failed or not.
In this case, ignoring the return value leads to considering the transfer successful and silent failure if the transfer fails.
Impact
Failure to check whether a transfer was successful or not will cause silent failures of transfers and affect token accounting.
Tools Used
Manual review
Recommendations
Add a require() statement that checks the return value of ERC20 token transfers.
However, using require() to check transfer return values could lead to issues with tokens non-compliant EIP-20 specification, which do not return a boolean value.
Therefore, I highly advise to use safeTransfer() from Openzeppelin's SafeERC20.
Lead Judging Commences
unchecked-transfer
informational/invalid
Prize pool breakdown
Live
The contest is live. Earn rewards by submitting a finding.
Appeals
This is your time to appeal against judgements on your submissions.
Appeals Review
Appeals are being carefully reviewed by our judges.