In some contracts (e.g., TracerPerpetualSwaps.sol), the return values of ERC20 transfer and transferFrom are not checked to be true, which could be false if the transferred tokens are not ERC20-compliant. In that case, the transfer fails without being noticed by the calling contract.
Handle
shw
Vulnerability details
Impact
In some contracts (e.g.,
TracerPerpetualSwaps.sol
), the return values of ERC20transfer
andtransferFrom
are not checked to betrue
, which could befalse
if the transferred tokens are not ERC20-compliant. In that case, the transfer fails without being noticed by the calling contract.Proof of Concept
Referenced code: Code using
transfer
: TracerPerpetualSwaps.sol#L203 TracerPerpetualSwaps.sol#L514 Insurance.sol#L97 SafetyWithdraw.sol#L13Code using
transferFrom
: TracerPerpetualSwaps.sol#L151 Insurance.sol#L51Recommended Mitigation Steps
Use the
SafeERC20
library implementation from Openzeppelin and callsafeTransfer
orsafeTransferFrom
when transferring ERC20 tokens.