Non-Standard ERC20 Transfer Behavior in USDC Transfer Will Lead to Unexpected Reverts When Users Attempt to Buy the Zeno Token During Auction
Summary
The Zeno Auction contract uses a direct call to USDC's transferFrom function and relies on its boolean return value. However, certain implementations of USDC do not adhere strictly to the ERC20 standard—specifically, they might not return a boolean as expected. This discrepancy can trigger unexpected reverts in otherwise successful token transfers, thereby disrupting the auction process and hindering user participation.
Vulnerability Details
The problematic line in the contract is:
This line assumes that transferFrom returns true when the transfer succeeds. According to the ERC20 standard, this is expected behavior. However, many real-world tokens, including some implementations of USDC, deviate from this by not returning any value or returning data differently. If USDC’s transferFrom does not return a boolean, the require statement might revert the transaction even if the transfer was successful.
Impact
This behavior can lead to the auction transaction reverting unexpectedly, potential denial of service where legitimate bids fail, and overall disruption in the auction flow, resulting in user dissatisfaction.
Tools Used
Manual code review
ERC20 Standard Documentation
Recommendations
Replace the direct call with OpenZeppelin’s SafeERC20 implementation as this approach safely handles cases where the token does not return a boolean.
Lead Judging Commences
[INVALID] SafeERC20 not used
LightChaser Low-60
Prize pool breakdown
Live
The contest is live. Earn rewards by submitting a finding.
Appeals
This is your time to appeal against judgements on your submissions.
Appeals Review
Appeals are being carefully reviewed by our judges.