Alchemix Transmuter
Alchemix
DeFiFoundrySolidity
16,653 OP
View results
Previous Next
Submission Details
Severity: low
Invalid

Unchecked Return Value from transferFrom in TokenAdapterMock

sauronsol

Summary

The unwrap function in TokenAdapterMock contract doesn't check the return value of transferFrom, which could lead to silent failures.

Vulnerability Details

In the unwrap function, the return value from transferFrom is not checked:

IERC20(token).transferFrom(msg.sender, address(this), _amount);

Function proving the test:

function testFail_unwrapTransferFromIgnoredReturn() public {
PrivateFailingToken failingToken = new PrivateFailingToken();
TokenAdapterMock vulnerableAdapter = new TokenAdapterMock(address(failingToken));
vulnerableAdapter.unwrap(1000e18, address(this));
assert(false);
}

While most modern ERC20 tokens revert on failed transfers, some older tokens (like USDT) return false instead of reverting. Not checking this return value could lead to the function continuing execution even when the transfer failed.

Impact

Low severity. While this is a best practice violation:

  • Most modern tokens revert on failed transfers

  • This is a mock contract used for testing

  • The actual funds are unlikely to be lost due to subsequent operations that would fail

Tools Used

  • Slither static analyzer

  • Manual review

Recommendations

Use SafeERC20's safeTransferFrom instead of direct transferFrom:

IERC20(token).safeTransferFrom(msg.sender, address(this), _amount);
Updates

Appeal created

inallhonesty Lead Judge 10 months ago
Submission Judgement Published
Invalidated
Reason: Out of scope
inallhonesty Lead Judge 10 months ago
Submission Judgement Published
Invalidated
Reason: Out of scope

Support

FAQs

Can't find an answer? Chat with us on Discord, Twitter or Linkedin.