SafetyWithdraw ERC20 return values not checked

[code423n4]

Handle

cmichel

Vulnerability details

The ERC20.transfer() and ERC20.transferFrom() functions return a boolean value indicating success. This parameter should be checked for success. The SafetyWithdraw.withdrawERC20Token function does not check the return value:

function withdrawERC20Token(
    address tokenAddress,
    address to,
    uint256 amount
) external override onlyOwner {
    IERC20(tokenAddress).transfer(to, amount);
}

Impact

Some tokens do not revert if the transfer failed but return false instead. Tokens that don't actually perform the transfer and return false are still counted as a correct transfer.

Recommended Mitigation Steps

We recommend using OpenZeppelin’s SafeERC20 versions with the safeTransfer and safeTransferFrom functions that handle the return value check as well as non-standard-compliant tokens.

[raymogg]

Duplicate of #115

[cemozerr]

Marking this as it seems to be duplicate of #96, from the same user.