No ERC20 safe* versions called

[code423n4]

Handle

cmichel

Vulnerability details

Some tokens (like USDT) don't correctly implement the EIP20 standard and their transfer/transferFrom function return void instead of a success boolean. Calling these functions with the correct EIP20 function signatures will always revert.

The Auction.withdrawBounty function performs a IERC20(bounty.token).transfer(msg.sender, bounty.amount); call that neither checks the return value nor works with non-standard tokens.

Impact

Tokens that don't correctly implement the latest EIP20 spec, like USDT, will be unusable in the protocol as they revert the transaction because of the missing return value.

As the bounty.token can be any token, safeTransfer should be used here.

Recommended Mitigation Steps

We recommend using OpenZeppelin’s SafeERC20 versions with the safeTransfer and safeTransferFrom functions that handle the return value check as well as non-standard-compliant tokens.

[GalloDaSballo]

The finding is valid and it's very important the sponsor implements a check for ERC20 return values.

Because the warden already submitted a finding about using safeErc20, I'm marking this as invalid.