direct use of transfer in the `unstakeAll` function without checking the return value could lead to issues with non-compliant ERC20 tokens
Summary:
In the FjordStaking contract, the unstakeAll function uses the transfer method from the fjordToken to send tokens back to the user
Some ERC20 tokens do not adhere strictly to the ERC20 standard and may not return a boolean value.
Vulnerability Details:
In the unstakeAll function:
Analysis
Direct Use of transfer:
The transfer function from the ERC20 standard is used directly without any return value check.
The ERC20 transfer function returns a boolean indicating success, but this is not checked in the unstakeAll function.
Impact:
Some ERC20 tokens do not adhere strictly to the ERC20 standard and may not return a boolean value.
If the transfer function fails (e.g., due to insufficient balance or allowance), it might not revert, leading to a silent failure where tokens are not transferred.
Tools Used:
Manual review
Recommendations:
Use OpenZeppelin's SafeERC20 library, which wraps the transfer function and checks the return value, reverting if the transfer fails.
Prize pool breakdown
Live
The contest is live. Earn rewards by submitting a finding.
Appeals
This is your time to appeal against judgements on your submissions.
Appeals Review
Appeals are being carefully reviewed by our judges.