Unchecked ERC20 transfer in withdrawTokens → Silent failure + incorrect event emission on failed withdrawals

Description

• The withdrawTokens function is intended to allow the owner to withdraw any ERC20 tokens collected by the hook (e.g., fees or rebates).

• The current implementation calls IERC20(token).transfer(to, amount) directly without checking the returned bool. Many ERC20 tokens (USDT, older tokens, some fee-on-transfer tokens) return false instead of reverting on failure, or have non-standard behavior.

• As a result, a failed transfer is treated as successful and the TokensWithdrawn event is still emitted, creating an inconsistent on-chain state.

Risk

Likelihood:

• Any non-standard or legacy ERC20 token deposited into the hook will trigger the issue

• Tokens that return false on failure (e.g., USDT before CPI upgrade, certain proxy tokens) are still widely used

• Fee-on-transfer or rebasing tokens may also cause transfer to return false

Impact:

• Tokens can become permanently stuck in the hook if the transfer silently fails

• The TokensWithdrawn event lies about a successful withdrawal, breaking off-chain accounting and monitoring

• Owner may believe funds were sent when they were not, leading to loss of funds or delayed recovery attempts

Proof of Concept

Add the following code snippet to the RebateFiHookTest.t.sol test file.

This is a mock ERC20 token that will revert on the first transfer. Add this contract to the RebateFiHookTest.t.sol file.

This is a test function that will test the ReFiSwapRebateHook::withdrawTokens function with a failed token. Add this test to the RebateFiHookTest.t.sol file.

Recommended mitigation

ERC20 functions may not behave as expected. For example: return values are not always meaningful. It is recommended to use OpenZeppelin's SafeERC20 library.