NFT Dealers
First Flight #58
Beginner FriendlyFoundry
100 EXP
View results
Previous Next
Submission Details
Impact: low
Likelihood: low
Invalid

Raw `transferFrom` Calls Are Used Instead Of `SafeERC20`

0xzeusng

Raw transferFrom Calls Are Used Instead Of SafeERC20

Description

The contract calls usdc.transferFrom(...) directly in mintNft() and buy() and manually checks the return value. This is less robust than using SafeERC20.safeTransferFrom, since some ERC20 implementations do not return values consistently.

require(usdc.transferFrom(msg.sender, address(this), lockAmount), "USDC transfer failed");
bool success = usdc.transferFrom(msg.sender, address(this), listing.price);
require(success, "USDC transfer failed");

Risk

Likelihood:

  • The issue appears whenever the contract interacts with a token that does not strictly follow the standard ERC20 return-value behavior.

Impact:

  • Token transfers may behave unexpectedly or fail to integrate cleanly with non-standard ERC20 implementations.

Proof of Concept

The issue is visible directly in mintNft() and buy(), where raw transferFrom calls are used instead of SafeERC20.safeTransferFrom.

Recommended Mitigation

Use SafeERC20.safeTransferFrom consistently for inbound token transfers.

-require(usdc.transferFrom(msg.sender, address(this), lockAmount), "USDC transfer failed");
+usdc.safeTransferFrom(msg.sender, address(this), lockAmount);
-bool success = usdc.transferFrom(msg.sender, address(this), listing.price);
-require(success, "USDC transfer failed");
+usdc.safeTransferFrom(msg.sender, address(this), listing.price);
Updates

Lead Judging Commences

rubik0n Lead Judge 16 days ago
Submission Judgement Published
Invalidated
Reason: Non-acceptable severity
Assigned finding tags:

info

Support

FAQs

Can't find an answer? Chat with us on Discord, Twitter or Linkedin.

Give us feedback!