The claim() function performs an external call to IERC20.transfer() using extcall. This method does not check whether the token contract follows the expected ERC-20 standard, which can lead to unexpected failures or loss of funds if the call does not return a boolean value.
The function transfers tokens using an external call:
The issue arises because not all ERC-20 tokens return a boolean value. Some tokens (e.g., USDT) do not return True on success, which can cause the call to fail or behave unexpectedly.
If _success is not properly checked, funds may not be transferred, and users might still see their balance deducted.
Deploy an ERC-20 token contract that does not return a boolean in transfer().
Call the claim() function to attempt a withdrawal.
The transaction might fail due to the unexpected return value, or worse, it might succeed but not actually transfer tokens.
If the token being used does not return a boolean, users may be unable to claim their funds.
In the worst case, tokens could be locked inside the contract indefinitely, leading to financial loss.
Manual review
Use Vyper’s raw_call for safer token transfers:
Alternatively, verify the token standard before integrating it with the contract.
Implement a safe transfer helper function that correctly handles non-standard tokens.
The contest is live. Earn rewards by submitting a finding.
This is your time to appeal against judgements on your submissions.
Appeals are being carefully reviewed by our judges.