There are calls to ERC20 transfer, where safeTransfer should be used instead. Some ERC20 compliant tokens may not revert on failure and instead return false. The use of safeTransfer will mitigate this issue. For more reference, see this medium severity finding of the same issue on a previous C4 contest: https://github.com/code-423n4/2021-11-bootfinance-findings/issues/31.
Lines of code
https://github.com/code-423n4/2022-02-concur/blob/72b5216bfeaa7c52983060ebfc56e72e0aa8e3b0/contracts/ConvexStakingWrapper.sol#L182
Vulnerability details
Impact
There are calls to ERC20 transfer, where
safeTransfer
should be used instead. Some ERC20 compliant tokens may not revert on failure and instead return false. The use ofsafeTransfer
will mitigate this issue. For more reference, see this medium severity finding of the same issue on a previous C4 contest: https://github.com/code-423n4/2021-11-bootfinance-findings/issues/31.Proof of Concept
See example of unchecked transfer here.
Tools Used
Inspection.
Recommended Mitigation Steps
Use
safeTransfer
instead oftransfer
.