The transfer()/transferFrom() function is a method in the ERC-20 standard for transferring tokens from one address to another.However, this function is not safe for transferring tokens to smart contracts that do not implement the ERC-20 onTokenReceived function. This is because the transferFrom function does not guarantee that the receiving smart contract will handle the transferred tokens correctly, and in some cases, the tokens may be lost forever.On the other hand, the safeTransferFrom function is a safer way to transfer tokens because it first checks whether the receiving address is a contract that implements the onTokenReceived function before transferring the tokens.If the receiving address is not a contract or does not implement the onTokenReceived function, the transfer will fail and the tokens will not be lost.
Lines of code
https://github.com/code-423n4/2023-06-stader/blob/main/contracts/Auction.sol#L87
Vulnerability details
Calls transfer()/transferFrom() With IERC20
Description
The transfer()/transferFrom() function is a method in the ERC-20 standard for transferring tokens from one address to another.However, this function is not safe for transferring tokens to smart contracts that do not implement the ERC-20 onTokenReceived function. This is because the transferFrom function does not guarantee that the receiving smart contract will handle the transferred tokens correctly, and in some cases, the tokens may be lost forever.On the other hand, the safeTransferFrom function is a safer way to transfer tokens because it first checks whether the receiving address is a contract that implements the onTokenReceived function before transferring the tokens.If the receiving address is not a contract or does not implement the onTokenReceived function, the transfer will fail and the tokens will not be lost.
There are 6 instances of this issue:
File: contracts/Auction.sol#55
IERC20(staderConfig.getStaderToken()).transferFrom(msg.sender, address(this), _sdAmount) use safeTransferFrom instead.https://github.com/code-423n4/2023-06-stader/blob/main/contracts/Auction.sol#L55
File: contracts/Auction.sol#114
IERC20(staderConfig.getStaderToken()).transfer(staderConfig.getStaderTreasury(), _sdAmount) use safeTransferFrom instead.https://github.com/code-423n4/2023-06-stader/blob/main/contracts/Auction.sol#L114
File: contracts/SDCollateral.sol#47
IERC20(staderConfig.getStaderToken()).transferFrom(operator, address(this), _sdAmount) use safeTransferFrom instead.https://github.com/code-423n4/2023-06-stader/blob/main/contracts/SDCollateral.sol#L47
File: contracts/SocializingPool.sol#129
IERC20(staderConfig.getStaderToken()).transfer(operatorRewardsAddr, totalAmountSD) use safeTransferFrom instead.https://github.com/code-423n4/2023-06-stader/blob/main/contracts/SocializingPool.sol#L129
File: contracts/SDCollateral.sol#68
IERC20(staderConfig.getStaderToken()).transfer(payable(operator), _requestedSD) use safeTransferFrom instead.https://github.com/code-423n4/2023-06-stader/blob/main/contracts/SDCollateral.sol#L68
File: contracts/Auction.sol#87
IERC20(staderConfig.getStaderToken()).transfer(lotItem.highestBidder, lotItem.sdAmount) use safeTransferFrom instead.https://github.com/code-423n4/2023-06-stader/blob/main/contracts/Auction.sol#L87
Assessed type
ERC20