MorpheusAI
MorpheusAI
Foundry
22,500 USDC
View results
Previous Next
Submission Details
Severity: medium
Invalid

Use safeTransfer()/safeTransferFrom() instead of transfer()/transferFrom()

0x27281m

Impact:
It is a good idea to add a require() statement that checks the return value of ERC20 token transfers or to use something like OpenZeppelin’s safeTransfer()/safeTransferFrom() unless one is sure the given token reverts in case of a failure. Failure to do so will cause silent failures of transfers and affect token accounting in contract.

However, using require() to check transfer return values could lead to issues with non-compliant ERC20 tokens which do not return a boolean value. Therefore, it's highly advised to use OpenZeppelin’s safeTransfer()/safeTransferFrom().

Proof of Concept:

  1. GatewayRouterMock.sol

    1. https://github.com/Cyfrin/2024-01-Morpheus/blob/main/contracts/mock/GatewayRouterMock.sol#L15C24-L15C36

  2. SwapRouterMock.sol

    1. https://github.com/Cyfrin/2024-01-Morpheus/blob/main/contracts/mock/SwapRouterMock.sol#L9

    2. https://github.com/Cyfrin/2024-01-Morpheus/blob/main/contracts/mock/SwapRouterMock.sol#L10

  3. WStETHMock.sol

    1. https://github.com/Cyfrin/2024-01-Morpheus/blob/main/contracts/mock/tokens/WStETHMock.sol#L25

Tools Used:
Manual review

Recommendations:
Consider using safeTransfer()/safeTransferFrom() instead of transfer()/transferFrom().

Updates

Lead Judging Commences

inallhonesty Lead Judge
over 1 year ago
inallhonesty Lead Judge over 1 year ago
Submission Judgement Published
Invalidated
Reason: Incorrect statement

Support

FAQs

Can't find an answer? Chat with us on Discord, Twitter or Linkedin.