recoverTokens calls IERC20(_token).transfer(owner, _amount) directly without checking the return value and without using SafeERC20. Some ERC-20 tokens (notably USDT on Ethereum mainnet) return false on failure instead of reverting. The transfer silently fails, the owner believes the recovery succeeded, and the tokens remain in the contract.
Likelihood:
USDT is an extremely common token that returns false on failure rather than reverting — it is a likely candidate for accidental contract deposits
Any amount overflow or balance shortfall (e.g., trying to recover more than the balance) produces a silent no-op
Impact:
The owner calls recoverTokens believing funds were recovered; the transaction succeeds with a Transfer event from the token that may not fire (USDT does not emit on failed transfers), leaving no on-chain evidence of failure
Tokens remain stuck in the contract with no indication of what went wrong
Use SafeERC20.safeTransfer which checks the return value and reverts on failure:
The contest is live. Earn rewards by submitting a finding.
This is your time to appeal against judgements on your submissions.
Appeals are being carefully reviewed by our judges.
The contest is complete and the rewards are being distributed.