Open RensR opened 3 weeks ago
At first glance is looks like IERC20.transfer.selector
is being caught by the detector.
What do you think the conditions should be so that it won't catch this? Maybe when .selector
is used? But then again, I can imagine scenarios where that is using an unsafe ERC20 op.
_callWithExactGasSafeReturnData
Is it a good idea to look for the word safe
in the name of parent function call?
(if present) : Here it is _callWithExactGasSafeReturnData
?
I think it's impossible to perfectly solve, but maybe only trigger when the selector is used directly in a raw call and now when passed into a function. Right now it triggers when I pass a selector, which doesn't even have to be called.
Unsafe ERC20 Operations should not be used
To Reproduce Steps to reproduce the behavior:
https://github.com/smartcontractkit/ccip
Report states
But the call is actually handled in a similar (but not identical) way to safeERC20.
Not sure if this is a true false negative, but I could see a case being made to not trigger on cases like this