The contract's transfer and transferFrom functions do not verify return values when dealing with ERC20 tokens. According to the ERC20 standard, these functions should return a boolean indicating success. Without checking these return values, the contract assumes transfers always succeed, which could lead to asset or payment loss if failures occur silently.
Vulnerability Details
ERC20 functions are expected to return a boolean but are not required to revert on failure. Using tokens that return false can result in missed payments or asset transfers without any notification. In this contract, the lack of return value checks means that if transfer or transferFrom fails without reverting, the contract might incorrectly assume success, leading to potential financial discrepancies. This issue affects any ERC20 token that does not adhere to the standard's reverting behavior.
Impact
The issue is informational but could worsen with certain tokens. If the contract interacts with tokens that return false instead of reverting, the lack of checks may cause silent failures, resulting in asset loss or incomplete payments.
Tools Used
Manual code review
Recommendations
To mitigate this vulnerability and improve compatibility with non-standard ERC20 tokens, utilize SafeERC20 from OpenZeppelin’s library.
The contest is live. Earn rewards by submitting a finding.
This is your time to appeal against judgements on your submissions.
Appeals are being carefully reviewed by our judges.