ERC20 unchecked return values of transfer, approve and transferFrom
Summary
ERC20 unchecked return values of transfer, approve and transferFrom
Vulnerability Details
The transfer(), transferFrom() and approve() function returns a boolean value indicating success. This parameter needs to be checked to see if the transfer or approval has been successful. Some tokens like EURS and BAT will not revert if the transfer failed but return false instead. Tokens that don't actually perform the transfer and return false are still counted as a correct transfer.
https://github.com/Cyfrin/2024-08-tadle/blob/main/src/utils/Rescuable.sol#L84-L117
Impact
The protocol would still create offer or change the state even if transfer or approval wasn't successful.
Tools Used
Manual review
Recommendations
Use OZ’s SafeERC20’s safeTransferFrom(), safeTransfer and safeApprove function.
Lead Judging Commences
[invalid] finding-weird-erc-20-return-boolean-Rescuable
I believe the issues and duplicates do not warrant low severity severity as even if the call to transfers returns false instead of reverting, there is no impact as it is arguably correct given there will be insufficient funds to perform a rescue/withdrawal. This will not affect `tillIn()` as there are explicit balance [checks that revert accordingly](https://github.com/Cyfrin/2024-08-tadle/blob/04fd8634701697184a3f3a5558b41c109866e5f8/src/core/TokenManager.sol#L255-L260) to prevent allowing creation of offers without posting the necessary collateral
Prize pool breakdown
Live
The contest is live. Earn rewards by submitting a finding.
Appeals
This is your time to appeal against judgements on your submissions.
Appeals Review
Appeals are being carefully reviewed by our judges.