There are several contracts which do not utilise OpenZeppelin's SafeERC20 library when performing token transfers. The FactoryDAO suite of smart contracts intends to support transfers by all tokens, including non-standard tokens such as USDT which does not revert upon failure or return a boolean value (returns void instead). This limits the usage of the protocol to only certain types of tokens.
Recommended Mitigation Steps
Consider making use of OpenZeppelin's safeTransfer() and safeTransferFrom() functions in all instances where transfer() and transferFrom() are used.
Lines of code
https://github.com/code-423n4/2022-05-factorydao/tree/main/contracts
Vulnerability details
Impact
There are several contracts which do not utilise OpenZeppelin's
SafeERC20
library when performing token transfers. The FactoryDAO suite of smart contracts intends to support transfers by all tokens, including non-standard tokens such asUSDT
which does not revert upon failure or return a boolean value (returns void instead). This limits the usage of the protocol to only certain types of tokens.Recommended Mitigation Steps
Consider making use of OpenZeppelin's
safeTransfer()
andsafeTransferFrom()
functions in all instances wheretransfer()
andtransferFrom()
are used.