Dria

Summary

• Recommended to use SafeERC20 methods in the place of transfer,transferFrom,approve etc

Vulnerability Details

• the transfer() function is widely used in the codebase for transferring ERC20 tokens. However, using the raw transfer() function can be risky because it does not handle certain edge cases like failed transactions.

• Specifically, with no return value capture, the transfer() function does not check whether the token transfer was successful, which can lead to silent failures if the token contract does not return a boolean value or if it returns false.

• Using transfer,transferFrom instead of safe methods poses risks when sending NFTs to contracts that do not implement the IERC721Receiver interface. While the transfer will succeed, the NFT may become effectively inaccessible, leading to unintended consequences.

• Using `approve` may invite race-conditions, front running issue. Instead we can use SafeApprove.

Impact

• Silent Failures: If the token transfer fails (e.g., due to insufficient balance or allowance), the transfer() function does not revert or provide feedback. This can lead to silent failures where tokens are not transferred, but the contract continues execution as if they were.

• Compatibility Issues: Some ERC20 tokens do not follow the standard behavior of returning a boolean value on success. Using transfer() without checking for success can cause issues when interacting with these non-standard tokens.

Tools Used

• OpenZeppelin SafeERC20 library documentation

• Manual Review

Recommendations

• Use safeERC20 lib and replace transfer with safeTransfer, transferFrom with safeTransferFrom , modify allowances using safeIncreaseAllowance , safeDecreaseAllowance etc.