The ERC20.transfer() and ERC20.transferFrom() functions return a boolean value indicating success. This parameter should be checked for success.
The Insurance.deposit and Insurace.withdraw functions dp not check the return value:
Some tokens do not revert if the transfer failed but return false instead.
Tokens that don't actually perform the transfer and return false are still counted as a correct transfer.
Recommended Mitigation Steps
We recommend using OpenZeppelin’s SafeERC20 versions with the safeTransfer and safeTransferFrom functions that handle the return value check as well as non-standard-compliant tokens.
raymogg
commented
3 years ago
Handle
cmichel
Vulnerability details
The
ERC20.transfer()andERC20.transferFrom()functions return a boolean value indicating success. This parameter should be checked for success. TheInsurance.depositandInsurace.withdrawfunctions dp not check the return value:Impact
Some tokens do not revert if the transfer failed but return
falseinstead. Tokens that don't actually perform the transfer and returnfalseare still counted as a correct transfer.Recommended Mitigation Steps
We recommend using OpenZeppelin’s
SafeERC20versions with thesafeTransferandsafeTransferFromfunctions that handle the return value check as well as non-standard-compliant tokens.