The LendingPair._safeTransfer function will revert if tokens do not return a boolean because the interface ERC20.transfer function it uses indicates that this function always returns a boolean.
Some tokens (like USDT) don't correctly implement the EIP20 standard and their transfer/transferFrom function return void instead of a success boolean. Calling these functions with the correct EIP20 function signatures will always revert.
Impact
Tokens that don't correctly implement the latest EIP20 spec, like USDT, will be unusable in the protocol as they revert the transaction because of the missing return value.
Recommendation
We recommend using OpenZeppelin’s SafeERC20 versions with the safeTransfer function that handles the return value check as well as non-standard-compliant tokens.
Handle
cmichel
Vulnerability details
The
LendingPair._safeTransfer
function will revert if tokens do not return a boolean because the interfaceERC20.transfer
function it uses indicates that this function always returns a boolean. Some tokens (like USDT) don't correctly implement the EIP20 standard and theirtransfer
/transferFrom
function returnvoid
instead of a success boolean. Calling these functions with the correct EIP20 function signatures will always revert.Impact
Tokens that don't correctly implement the latest EIP20 spec, like USDT, will be unusable in the protocol as they revert the transaction because of the missing return value.
Recommendation
We recommend using OpenZeppelin’s
SafeERC20
versions with thesafeTransfer
function that handles the return value check as well as non-standard-compliant tokens.