Use safeTransfer/safeTransferFrom consistently instead of transfer/transferFrom

[code423n4]

Handle

defsec

Vulnerability details

Impact

It is good to add a require() statement that checks the return value of token transfers or to use something like OpenZeppelin’s safeTransfer/safeTransferFrom unless one is sure the given token reverts in case of a failure. Failure to do so will cause silent failures of transfers and affect token accounting in contract.

Reference: This similar medium-severity finding from Consensys Diligence Audit of Fei Protocol: https://consensys.net/diligence/audits/2021/01/fei-protocol/#unchecked-return-value-for-iweth-transfer-call

Proof of Concept

1. Navigate to the following contracts.
2. transfer/transferFrom functions are used instead of safe transfer/transferFrom on the following contracts.

https://github.com/Badger-Finance/ibbtc-curve-zap/blob/47a9964d17f9c5bea314d21186773aef99012153/contracts/DepositZapibBTC.vy#L388

https://github.com/Badger-Finance/ibbtc-curve-zap/blob/47a9964d17f9c5bea314d21186773aef99012153/contracts/DepositZapibBTC.vy#L179

https://github.com/Badger-Finance/ibbtc-curve-zap/blob/47a9964d17f9c5bea314d21186773aef99012153/contracts/DepositZapibBTC.vy#L160

Tools Used

Code Review

Recommended Mitigation Steps

Consider using safeTransfer/safeTransferFrom or require() consistently.

[GalloDaSballo]

Agree wth finding, safeErc20 ftw