Unsafe transfer of ERC20 tokens of YetiFinanceTreasury

[code423n4]

Handle

kenzo

Vulnerability details

Some ERC20 tokens only return false and do not revert on failed transfer or transferForm. Yeti mostly handles this, but not in all places.

Impact

Wouldn't be able to easily tell if transfer succeeded.

Proof of Concept

When YetiFinanceTreasury sendsToken to the team wallet, it doesn't check whether the transfer succeeded. (Code ref)

    function sendToken(IERC20 _token, address _to, uint _amount) external onlyTeam {
        _token.transfer(_to, _amount);
    }

Recommended Mitigation Steps

Add a return value to the function and make sure the transfer succeeded.

[kingyetifinance]

Duplicate #116

[alcueca]

For now, a duplicate of #1

[alcueca]

Duplicate of #94