Lack of Safe Transfer Mechanism Could Result in Undetected Transfer Failures
Summary
The use of unsafe token transfer operations in the protocol could lead to issues with account balancing or potential loss of funds.
Vulnerability Details
Functions within the protocol rely on the standard transfer() function for token transfers. However, this approach is unsafe, as some tokens do not revert on failed transfers and instead return a false boolean value to indicate failure. If these return values are not checked, transfers could fail silently, leading to unrecorded errors.
An example is tokens like USDT, which do not fully conform to the ERC-20 standard and return void instead of a success boolean. As a result, a failed transfer could still be mistakenly considered successful, potentially causing unaccounted losses.
This silent failure can result in user funds being inaccurately accounted for within the protocol, leading to potential losses for the receiving party.
Impact
Failed transfers may be recorded as successful, potentially causing loss of funds for the intended recipient.
Tools Used
Manual Review
Recommendations
To ensure secure transfers, use OpenZeppelin's SafeERC20 library and the safeTransfer() function. This library handles non-standard tokens by verifying transfer results, ensuring funds are safely moved without silent failures.
Lead Judging Commences
[KNOWN] - Low-35 Unsafe use of transfer()/transferFrom() with IERC20
Prize pool breakdown
Live
The contest is live. Earn rewards by submitting a finding.
Appeals
This is your time to appeal against judgements on your submissions.
Appeals Review
Appeals are being carefully reviewed by our judges.