Must use safeTransferFrom() instead of transferFrom()
Summary
The ERC20.transfer() and ERC20.transferFrom() functions return a boolean value indicating success. This parameter needs to be checked for success. Some tokens do not revert if the transfer failed but return false instead.
Vulnerability Details
Some tokens (like USDT) don't correctly implement the EIP20 standard and their transfer/ transferFrom function return void instead of a success boolean. Calling these functions with the correct EIP20 function signatures will always revert.
The transferRoyalties() and purchase() functions use ERC20.transfer() and ERC20.transferFrom().
https://github.com/Cyfrin/2024-10-swan-dria/blob/c8686b199daadcef3161980022e12b66a5304f8e/contracts/swan/Swan.sol#L265
https://github.com/Cyfrin/2024-10-swan-dria/blob/c8686b199daadcef3161980022e12b66a5304f8e/contracts/swan/Swan.sol#L298
Impact
Tokens that don't actually perform the transfer and return false are still counted as a correct transfer and tokens that don't correctly implement the latest EIP20 spec, like USDT, will be unusable in the protocol as they revert the transaction because of the missing return value.
Tools Used
Manual verification
Recommendations
Use OpenZeppelin's SafeERC20 versions with the safeTransfer() and safeTransferFrom() functions that handle the return value check as well as non-standard-compliant tokens.
Lead Judging Commences
[KNOWN] - Low-35 Unsafe use of transfer()/transferFrom() with IERC20
Prize pool breakdown
Live
The contest is live. Earn rewards by submitting a finding.
Appeals
This is your time to appeal against judgements on your submissions.
Appeals Review
Appeals are being carefully reviewed by our judges.