You signed in with another tab or window. Reload to refresh your session.You signed out in another tab or window. Reload to refresh your session.You switched accounts on another tab or window. Reload to refresh your session.Dismiss alert
{{ message }}
This repository has been archived by the owner on Nov 26, 2023. It is now read-only.
sherlock-admin opened this issue
May 5, 2023
· 0 comments
Labels
DuplicateA valid issue that is a duplicate of an issue with `Has Duplicates` labelMediumA valid Medium severity issueRewardA payout will be made for this issue
The ERC20.transfer() and ERC20.transferFrom() functions return a boolean value indicating success. This parameter needs to be checked for success. Some tokens do not revert if the transfer failed but return false instead.
Vulnerability Detail
Tokens that don't perform the transfer and return false are still counted as a correct transfer and tokens that don't correctly implement the latest EIP20 spec will be unusable in the protocol as they revert the transaction because of the missing return value.
Impact
Using unsafe ERC20 methods can revert the transaction for certain tokens.
if (value >0) {
totalERC20Claimed[_token][_to] += value;
_token.transfer(_to, value);
}
Tool used
Manual Review
Recommendation
Recommend using OpenZeppelin's SafeERC20 versions with the safeTransfer and safeTransferFrom functions that handle the return value check as well as non-standard-compliant tokens.
Sign up for freeto subscribe to this conversation on GitHub.
Already have an account?
Sign in.
Labels
DuplicateA valid issue that is a duplicate of an issue with `Has Duplicates` labelMediumA valid Medium severity issueRewardA payout will be made for this issue
tsvetanovv
medium
Unsafe usage of ERC20
transfer()
Summary
The ERC20.transfer() and ERC20.transferFrom() functions return a boolean value indicating success. This parameter needs to be checked for success. Some tokens do not revert if the transfer failed but return false instead.
Vulnerability Detail
Tokens that don't perform the transfer and return false are still counted as a correct transfer and tokens that don't correctly implement the latest EIP20 spec will be unusable in the protocol as they revert the transaction because of the missing return value.
Impact
Using unsafe ERC20 methods can revert the transaction for certain tokens.
Code Snippet
FootiumEscrow.sol
https://github.com/sherlock-audit/2023-04-footium/blob/main/footium-eth-shareable/contracts/FootiumEscrow.sol#L98-L111
FootiumPrizeDistributor.sol
https://github.com/sherlock-audit/2023-04-footium/blob/main/footium-eth-shareable/contracts/FootiumPrizeDistributor.sol#L97-L134
Tool used
Manual Review
Recommendation
Recommend using OpenZeppelin's SafeERC20 versions with the
safeTransfer
and safeTransferFrom functions that handle the return value check as well as non-standard-compliant tokens.Duplicate of #86
The text was updated successfully, but these errors were encountered: