The ERC20.transfer() and ERC20.transferFrom() functions return a boolean value indicating success. This parameter needs to be checked for success.
Some tokens do not revert if the transfer failed but return false instead.
It is not checked in SushiYieldSource.supplyTokenTo.
Impact
Tokens that don't actually perform the transfer and return false are still counted as a correct transfer.
As the sushiAddr is merely a parameter to the yield source it is not known which token & SushiBar will end up actually being used.
Recommended Mitigation Steps
We recommend using OpenZeppelin’s SafeERC20 versions with the safeTransfer and safeTransferFrom functions that handle the return value check as well as non-standard-compliant tokens.
Handle
cmichel
Vulnerability details
The
ERC20.transfer()
andERC20.transferFrom()
functions return a boolean value indicating success. This parameter needs to be checked for success. Some tokens do not revert if the transfer failed but returnfalse
instead.It is not checked in
SushiYieldSource.supplyTokenTo
.Impact
Tokens that don't actually perform the transfer and return
false
are still counted as a correct transfer. As thesushiAddr
is merely a parameter to the yield source it is not known which token & SushiBar will end up actually being used.Recommended Mitigation Steps
We recommend using OpenZeppelin’s
SafeERC20
versions with thesafeTransfer
andsafeTransferFrom
functions that handle the return value check as well as non-standard-compliant tokens.