Some tokens (like USDT) don't correctly implement the EIP20 standard and their transfer/transferFrom function return void instead of a success boolean. Calling these functions with the correct EIP20 function signatures will always revert.
Non-safe transfers are used in:
NestedFactory.unlockTokens
Impact
Tokens that don't correctly implement the latest EIP20 spec, like USDT, will be unusable in the protocol as they revert the transaction because of the missing return value.
Recommended Mitigation Steps
We recommend using OpenZeppelin’s SafeERC20 versions with the safeTransfer and safeTransferFrom functions that handle the return value check as well as non-standard-compliant tokens.
maximebrugel
commented
2 years ago
Handle
cmichel
Vulnerability details
Some tokens (like USDT) don't correctly implement the EIP20 standard and their
transfer/transferFromfunction returnvoidinstead of a success boolean. Calling these functions with the correct EIP20 function signatures will always revert.Non-safe transfers are used in:
NestedFactory.unlockTokensImpact
Tokens that don't correctly implement the latest EIP20 spec, like USDT, will be unusable in the protocol as they revert the transaction because of the missing return value.
Recommended Mitigation Steps
We recommend using OpenZeppelin’s
SafeERC20versions with thesafeTransferandsafeTransferFromfunctions that handle the return value check as well as non-standard-compliant tokens.