Missing `safeTransfer` library can lead to bricked sales
Summary
Tokens such as USDT do not return a bool on transfer. The ERC20 contract used in the projects expect a bool return on transfer calls. Contract can break due to this interface mismatch.
Vulnerability Details
Contracts of tokens like USDT do not return a bool on transfer function calls.
Code from mainnet:
However, the project here uses ERC20 contract from openzeppelin which does expect a return value.
Due to this mismatch, if the project decides to support USDT for purchases, the contracts will break. Because the ERC20 interface used in the contract will expect a return value but the mainnet contract wont return anything, resulting in a revert.
Impact
USDT on mainnet wont be supported by the protocol.
Tools Used
Manual Review
Recommendations
Consider using the safetransferLib. This can ignore missing return values for transfers.
Lead Judging Commences
[KNOWN] - Low-35 Unsafe use of transfer()/transferFrom() with IERC20
Prize pool breakdown
Live
The contest is live. Earn rewards by submitting a finding.
Appeals
This is your time to appeal against judgements on your submissions.
Appeals Review
Appeals are being carefully reviewed by our judges.