The linked statements do not properly validate the returned bool values of the EIP-20 standard transfer & transferFrom functions. As the standard dictates, callers must not assume that false is never returned.
Impact:
If the code mandates that the returned bool is true, this will cause incompatibility with tokens such as USDT / Tether as no such bool is returned to be evaluated causing the check to fail at all times. On the other hand, if the token utilized can return a false value under certain conditions but the code does not validate it, the contract itself can be compromised as having received / sent funds that it never did.
Since not all standardized tokens are EIP-20 compliant (such as Tether / USDT), we advise a safe wrapper library to be utilized instead such as SafeERC20 by OpenZeppelin to opportunistically validate the returned bool only if it exists in each instance.
SLE-04S: Improper Invocations of EIP-20
transfer
/transferFrom
Description:
The linked statements do not properly validate the returned
bool
values of the EIP-20 standardtransfer
&transferFrom
functions. As the standard dictates, callers must not assume thatfalse
is never returned.Impact:
If the code mandates that the returned
bool
istrue
, this will cause incompatibility with tokens such as USDT / Tether as no suchbool
is returned to be evaluated causing the check to fail at all times. On the other hand, if the token utilized can return afalse
value under certain conditions but the code does not validate it, the contract itself can be compromised as having received / sent funds that it never did.Example:
Recommendation:
Since not all standardized tokens are EIP-20 compliant (such as Tether / USDT), we advise a safe wrapper library to be utilized instead such as
SafeERC20
by OpenZeppelin to opportunistically validate the returnedbool
only if it exists in each instance.