Stratax Contracts
First Flight #57
Beginner FriendlyDeFi
100 EXP
View results
Previous Next
Submission Details
Impact: medium
Likelihood: medium
Invalid

Use SafeERC20 in Stratax::recoverTokens for Token Recovery to Support Non-Standard ERC20s

sbb

Use SafeERC20 in Stratax::recoverTokens for Token Recovery to Support Non-Standard ERC20s

Description:
Using raw IERC20.transfer is fragile because some widely-used tokens are non-standard (e.g., not returning a boolean or using inconsistent return data). OpenZeppelin’s SafeERC20 safely wraps these behaviors and ensures failures revert properly.

function recoverTokens(address _token, uint256 _amount) external onlyOwner {
@> IERC20(_token).transfer(owner, _amount);
}

Impact:
Medium. Without SafeERC20, recovery may revert unexpectedly or fail silently depending on the token implementation, preventing token recovery when it matters most.

Recommended Mitigation:
Use OpenZeppelin SafeERC20:

+ import {SafeERC20} from "@openzeppelin/contracts/token/ERC20/utils/SafeERC20.sol";
+ using SafeERC20 for IERC20;
function recoverTokens(address _token, uint256 _amount) external onlyOwner {
- IERC20(_token).transfer(owner, _amount);
+ IERC20(_token).safeTransfer(owner, _amount);
}

(You can keep the input checks from [L-5] as well.)

Updates

Lead Judging Commences

izuman Lead Judge 16 days ago
Submission Judgement Published
Invalidated
Reason: Non-acceptable severity
Assigned finding tags:

WEIRD ERC20 Tokens

Currently there is no support for weird ERC20 tokens i.e. FOT tokens, missing return values, reentrancy etc.

Support

FAQs

Can't find an answer? Chat with us on Discord, Twitter or Linkedin.

Give us feedback!