Root + Impact

Description

• As mentioned in the protocol's description (under the Scope section), this protocol is compatible with any EVM token, i.e. any ERC20.

• Now, there's a major issue when a protocol doesn't really define the exact ERC20 token it is ready to get integrated with.

• This opens the way for all Weird ERC20s in the wild. And we know, if a protocol doesn't know what it is dealing with, there's a highly likely chance of it getting rekt in future.

• For instance, there are many ERC20 tokens which:

  • Are missing Return Values, i.e. sometimes they return nothing on getting a success, at other times they declare a bool return.

  • charge a transfer fee, leading to unexpected balances in the protocol.

  • act as rebasing tokens, i.e. their balances are automatically updated time to time.

  • and much more...

• Here's a really well-known repository which talks about this issue: Weird ERC20 Tokens

Risk

Likelihood: Medium/Low

• Good chances of being integrated by any weird ERC20 token, such as USDT, USDC.

Impact: Medium

• Usually, one never knows how these unexpected ERC20 tokens wreck the contract, as most of them are simply not compatible at this point.

Proof Of Concept

Unfortunately, this finding won't have a proof of concept around it. Moreover, this issue is well known and has always been pushed by the industry as an advisory to newly created protocols that are bound to interact with several ERC20s.

Recommended Mitigation

• The Weird ERC20 Tokens repo is the best bet to fix this issue. It contains various information based on past experiences and also suggests ways to prevent such vulnerabilities.

• Additionally, do plan out the ERC20 tokens protocol gonna use at some point and thus, make the changes accordingly.