Unchecked Return Values in ERC20 Transfers
Summary
The TokenManager contract assumes that _safe_transfer_from will revert on failure, which isn't guaranteed for all token implementations.
Vulnerability Details
The contract assumes that _safe_transfer_from will revert on failure. However, some ERC20 tokens (especially older or non-standard implementations) might return false instead of reverting on failure.
Impact
This vulnerability potentiallly could lead to system-wide failure if exploited at scale. If a non-reverting token is used that simply returns false on failure, the contract might assume a transfer was successful when it wasn't. This could lead to:
Incorrect balance tracking
Potential loss of funds
Inconsistent contract state
Tools Used
manual code review
Recommendations
Use OpenZeppelin's SafeERC20 library for all ERC20 interactions:
Implement additional checks for token transfers:
Lead Judging Commences
[invalid] finding-weird-erc-20-return-boolean-Rescuable
I believe the issues and duplicates do not warrant low severity severity as even if the call to transfers returns false instead of reverting, there is no impact as it is arguably correct given there will be insufficient funds to perform a rescue/withdrawal. This will not affect `tillIn()` as there are explicit balance [checks that revert accordingly](https://github.com/Cyfrin/2024-08-tadle/blob/04fd8634701697184a3f3a5558b41c109866e5f8/src/core/TokenManager.sol#L255-L260) to prevent allowing creation of offers without posting the necessary collateral
Prize pool breakdown
Live
The contest is live. Earn rewards by submitting a finding.
Appeals
This is your time to appeal against judgements on your submissions.
Appeals Review
Appeals are being carefully reviewed by our judges.