Use `safeTransferFrom()` and `safeTransfer()` instead of `transferFrom()` and `transfer()`
Vulnerability Details
The internal functions _safe_transfer() and _safe_transfer_from() in the Rescuable contract use transfer() and transferFrom() instead of safeTransfer() and safeTransferFrom() and it is misleading.
TokenManager::tillIn() calls _safe_transfer() which uses transfer() instead of safeTransfer():
TokenManager::withdraw() calls _transfer() and _safe_transfer_from() which use transferFrom() instead of safeTransferFrom():
Impact
Inconsistent naming: The function names _safe_transfer() and _safe_transfer_from() imply safe operations, but they don't actually use the safe versions of the transfer functions, which is misleading to developers and auditors.
Moreover, if non-standard ERC20 tokens such as USDT are used in the future, the contract will not be able to handle them correctly.
Recommendations
Use safeTransfer() and safeTransferFrom() instead of transfer() and transferFrom().
Lead Judging Commences
[invalid] finding-weird-erc-20-return-boolean-Rescuable
I believe the issues and duplicates do not warrant low severity severity as even if the call to transfers returns false instead of reverting, there is no impact as it is arguably correct given there will be insufficient funds to perform a rescue/withdrawal. This will not affect `tillIn()` as there are explicit balance [checks that revert accordingly](https://github.com/Cyfrin/2024-08-tadle/blob/04fd8634701697184a3f3a5558b41c109866e5f8/src/core/TokenManager.sol#L255-L260) to prevent allowing creation of offers without posting the necessary collateral
Prize pool breakdown
Live
The contest is live. Earn rewards by submitting a finding.
Appeals
This is your time to appeal against judgements on your submissions.
Appeals Review
Appeals are being carefully reviewed by our judges.