Beginner FriendlyFoundryNFT
100 EXP
View results
Submission Details
Severity: medium
Invalid

`ICredToken::approve`, `ICredToken::transfer` And `ICredToken::transferFrom` Have Incorrect ERC20 Function Interfaces

Vulnerability Details

ICredToken::approve, ICredToken::transfer and ICredToken::transferFrom have incorrect ERC20 function interfaces. These ERC20 functions should return a bool value to indicate success or failiure, but the ICredToken interface do not define these return values. A contract compiled with Solidity > 0.4.22 interacting with these functions will fail to execute them, as the return value is missing.

Impact

Smart contracts interacting with ICredToken expecting boolean return values from these functions may revert or fail to execute as anticipated, leading to potential integration issues or loss of functionality.

Proof of Concept

Consider a DeFi platform that offers a staking feature, allowing users to stake ERC20 tokens in return for rewards:

contract DeFiStakingContract {
ICredToken public token;
constructor(ICredToken _token) {
token = _token;
}
function stakeTokens(uint256 _amount) public {
// Expecting a boolean return value to ensure the transfer was successful
require(token.transferFrom(msg.sender, address(this), _amount), "Transfer failed");
// Logic to handle successful staking
}
}

The stakeTokens function uses require to check the success of transferFrom by expecting a boolean return value. However, since ICredToken's transferFrom does not return any value (due to the incorrect interface definition), the contract will revert and fail to execute, preventing users from staking their tokens.

Tools Used

Slither

Recommendations

Update the ICredToken interface to align with the ERC20 standard by ensuring that approve, transfer, and transferFrom return a boolean value:

- function approve(address to, uint256 amount) external;
- function transfer(address to, uint256 amount) external;
- function transferFrom(address from, address to, uint256 amount) external;
+ function approve(address to, uint256 amount) external returns (bool);
+ function transfer(address to, uint256 amount) external returns (bool);
+ function transferFrom(address from, address to, uint256 amount) external returns (bool);
Updates

Lead Judging Commences

inallhonesty Lead Judge over 1 year ago
Submission Judgement Published
Invalidated
Reason: Non-acceptable severity

Support

FAQs

Can't find an answer? Chat with us on Discord, Twitter or Linkedin.