The ERC20.transfer() and ERC20.transferFrom() functions return a boolean value indicating success. This parameter needs to be checked for success.
Furthermore, some tokens (like USDT) don't correctly implement the ERC20 standard and don't return a boolean.
It's missing in many contracts, for instance, in Router.moveTokenToPools.
Impact
Tokens that don't actually perform the transfer and return false are still counted as a correct transfer.
Tokens that don't correctly implement the spec, like USDT, will be unusable in the protocol as they revert the transaction because of the missing return value.
Handle
@cmichelio
Vulnerability details
Vulnerability Details
The
ERC20.transfer()andERC20.transferFrom()functions return a boolean value indicating success. This parameter needs to be checked for success. Furthermore, some tokens (like USDT) don't correctly implement the ERC20 standard and don't return a boolean.It's missing in many contracts, for instance, in
Router.moveTokenToPools.Impact
Tokens that don't actually perform the transfer and return
falseare still counted as a correct transfer. Tokens that don't correctly implement the spec, like USDT, will be unusable in the protocol as they revert the transaction because of the missing return value.Recommended Mitigation Steps
Use OpenZeppelin's SafeERC20 library.