Submission Details
Severity:
Lack of Support for Non-Standard ERC20 Tokens in Treasury Contract Causes Transaction failures with non-standard tokens
Finding description and impact
The contract assumes all tokens strictly adhere to the ERC20 standard, which is not always the case. Some tokens may have non-standard transfer or transferFrom implementations (USDT), causing transaction failures and rendering certain tokens unusable within the contract.
Proof of Concept
-
Some tokens return
falseinstead of reverting on failure. -
Example:
function withdraw(address token,uint256 amount,address recipient) external override nonReentrant onlyRole(MANAGER_ROLE) {if (token == address(0)) revert InvalidAddress();if (recipient == address(0)) revert InvalidRecipient();if (_balances[token] < amount) revert InsufficientBalance();_balances[token] -= amount;_totalValue -= amount;IERC20(token).transfer(recipient, amount); // May fail silentlyemit Withdrawn(token, amount, recipient);}
Recommended mitigation steps
Use OpenZeppelin’s SafeERC20 library to handle token transfers safely:
function withdraw(
address token,
uint256 amount,
address recipient
) external override nonReentrant onlyRole(MANAGER_ROLE) {
if (token == address(0)) revert InvalidAddress();
if (recipient == address(0)) revert InvalidRecipient();
if (_balances[token] < amount) revert InsufficientBalance();
_balances[token] -= amount;
_totalValue -= amount;
IERC20(token).safeTransfer(recipient, amount);
emit Withdrawn(token, amount, recipient);
}
Updates
Lead Judging Commences
inallhonesty 6 months ago
Submission Judgement Published Reason: Known issue
Assigned finding tags:
[INVALID] SafeERC20 not used
LightChaser Low-60
Prize pool breakdown
Total prize
77,280 USDC
nSLOC
3,86420 USDC / LOC
74,000
3,280
Live
The contest is live. Earn rewards by submitting a finding.
Appeals
This is your time to appeal against judgements on your submissions.
Appeals Review
Appeals are being carefully reviewed by our judges.