Unsafe use of `transfer()`/`transferFrom()` with `IERC20`

Lines of code

Vulnerability details

Some tokens do not implement the ERC20 standard properly but are still accepted by most code that accepts ERC20 tokens. For example Tether (USDT)'s transfer() and transferFrom() functions on L1 do not return booleans as the specification requires, and instead have no return value. When these sorts of tokens are cast to IERC20, their function signatures do not match and therefore the calls made, revert (see this link for a test case). Use OpenZeppelinundefineds SafeERC20's safeTransfer()/safeTransferFrom() instead

File: contracts/option-airdrop/AirdropBroker.sol

377                  paymentToken.transfer(
378                      paymentTokenBeneficiary,
379                      paymentToken.balanceOf(address(this))
380:                 );

509          _paymentToken.transferFrom(
510              msg.sender,
511              address(this),
512              discountedPaymentAmount
513:         );

File: contracts/options/TapiocaOptionBroker.sol

491                  paymentToken.transfer(
492                      paymentTokenBeneficiary,
493                      paymentToken.balanceOf(address(this))
494:                 );

530          _paymentToken.transferFrom(
531              msg.sender,
532              address(this),
533              discountedPaymentAmount
534:         );

File: contracts/tokens/LTap.sol

42:          tapToken.transferFrom(msg.sender, address(this), amount);

50:          tapToken.transfer(msg.sender, amount);

Assessed type

other

code-423n4 / 2022-01-dev-test-repo-findings