The ERC20.transfer() and ERC20.transferFrom() functions return a boolean value indicating success. This parameter should be checked for success.
The TracerPerpetualSwaps.deposit, TracerPerpetualSwaps.withdraw and TracerPerpetualSwaps.withdrawFees functions do not check the return value:
Some tokens do not revert if the transfer failed but return false instead.
Tokens that don't actually perform the transfer and return false are still counted as a correct transfer.
Recommended Mitigation Steps
We recommend using OpenZeppelin’s SafeERC20 versions with the safeTransfer and safeTransferFrom functions that handle the return value check as well as non-standard-compliant tokens.
Handle
cmichel
Vulnerability details
The
ERC20.transfer()
andERC20.transferFrom()
functions return a boolean value indicating success. This parameter should be checked for success. TheTracerPerpetualSwaps.deposit
,TracerPerpetualSwaps.withdraw
andTracerPerpetualSwaps.withdrawFees
functions do not check the return value:Impact
Some tokens do not revert if the transfer failed but return
false
instead. Tokens that don't actually perform the transfer and returnfalse
are still counted as a correct transfer.Recommended Mitigation Steps
We recommend using OpenZeppelin’s
SafeERC20
versions with thesafeTransfer
andsafeTransferFrom
functions that handle the return value check as well as non-standard-compliant tokens.