When transfering erc20 tokens, functions transfer and transferFrom are used. These functions return boolean to indicate if the action was sucessfull, however, none of the usages check the returned value:
collateralToken.transferFrom(msg.sender, address(this), rawTokenAmount);
IERC20(tracerQuoteToken).transferFrom(msg.sender, address(this), rawTokenAmount);
collateralToken.transfer(msg.sender, rawTokenAmount);
IERC20(tracerQuoteToken).transfer(msg.sender, rawTokenAmount);
IERC20(tracerQuoteToken).transfer(feeReceiver, tempFees);
Handle
pauliax
Vulnerability details
Impact
When transfering erc20 tokens, functions transfer and transferFrom are used. These functions return boolean to indicate if the action was sucessfull, however, none of the usages check the returned value: collateralToken.transferFrom(msg.sender, address(this), rawTokenAmount); IERC20(tracerQuoteToken).transferFrom(msg.sender, address(this), rawTokenAmount); collateralToken.transfer(msg.sender, rawTokenAmount); IERC20(tracerQuoteToken).transfer(msg.sender, rawTokenAmount); IERC20(tracerQuoteToken).transfer(feeReceiver, tempFees);
Recommended Mitigation Steps
There are lots of possible issues with different erc20 tokens (https://github.com/xwvvvvwx/weird-erc20) but the current best practice to deal with it is using SafeERC20: https://docs.openzeppelin.com/contracts/2.x/api/token/erc20#SafeERC20