Open hats-bug-reporter[bot] opened 1 year ago
Looks like on OP, USDT returns a bool: https://optimistic.etherscan.io/token/0x94b008aa00579c1307b0ef2c499ad98a8ce58e58#code.
Are you aware of any other token on OP that may have this issue?
I would say for OP there's no such token
OK thanks. Regardless I have used safeApprove as it is best practice. Thanks for the report.
Github username: @GalloDaSballo Submission hash (on-chain): 0x9edab194e97a358e3a68d899d2dc41b6d09b1522c97918e7c0af1b938aeaf757 Severity: low severity
Description:
Description
Tokens that don't return a
bool
will fail because the contract is usingapprove
instead ofsafeApprove
Instances
https://github.com/hats-finance/VMEX-0x41547b88e8d46bfdb6327c0c3ab4b5a1cffb11cd/blob/4bc577756e15418b919a49a1bdec0a98fd39bdbd/packages/contracts/contracts/protocol/incentives/ExternalRewardDistributor.sol#LL61C24-L61C31
Am marking as Low because the admin will be unable to add the token, meaning no tokens will be lost
Also I am aware that VMEX is launching on Optimism so this finding may be downgraded for that reason
Steps to reproduce
Expected behavior
Transfer should work
Actual behavior
Tx will revert
Screenshots
If applicable, add screenshots to help explain your problem.
Additional information
See POC of a demo
Which will revert
You can verify that tokens such as USDT do not return a boolean https://etherscan.io/token/0xdac17f958d2ee523a2206206994597c13d831ec7
Mitigation
Use the safeERC20 from OZ