Stratax Contracts

First Flight #57
Beginner FriendlyDeFi
100 EXP
Submission Details
Impact: low
Likelihood: medium

Unsafe ERC20 Transfer Assumptions May Cause Silent Transfer Failures

Author Revealed upon completion

Root + Impact

Description

  • The protocol interacts with ERC20 tokens assuming all tokens revert on transfer failure. However, some widely used tokens (such as USDT-like implementations) return false instead of reverting.

    When transfer return values are not checked, token transfers may silently fail while the protocol continues execution, leading to incorrect accounting or stuck funds.


// Root cause: transfer return value is not validated
IERC20(token).transfer(to, amount);
IERC20(token).transferFrom(from, to, amount);

Risk

Likelihood:

  • Non-standard ERC20 tokens exist and are widely used.

Token transfers can fail due to pause, blacklist, or insufficient balance while returning false.

Impact:

  • Protocol may assume tokens were transferred when they were not.

  • Funds may become stuck or accounting may become inconsistent.

Proof of Concept

// Example token behavior
function transfer(address to, uint256 amount) public returns (bool) {
if (blacklisted[msg.sender]) {
return false; // does NOT revert
}
balances[to] += amount;
return true;
}

Execution flow:

  1. Stratax calls transfer()

  2. Token returns false

  3. Contract does not check return value

  4. Execution continues assuming success

  5. Later operations rely on incorrect balances

Recommended Mitigation

+ using SafeERC20 for IERC20;
- IERC20(token).transfer(to, amount);
+ IERC20(token).safeTransfer(to, amount);
- IERC20(token).transferFrom(from, to, amount);
+ IERC20(token).safeTransferFrom(from, to, amount);

Support

FAQs

Can't find an answer? Chat with us on Discord, Twitter or Linkedin.

Give us feedback!