The linked statements do not properly validate the returned bool values of the EIP-20 standard transfer & transferFrom functions. As the standard dictates, callers must not assume that false is never returned.
Impact:
If the code mandates that the returned bool is true, this will cause incompatibility with tokens such as USDT / Tether as no such bool is returned to be evaluated causing the check to fail at all times. On the other hand, if the token utilized can return a false value under certain conditions but the code does not validate it, the contract itself can be compromised as having received / sent funds that it never did.
Since not all standardized tokens are EIP-20 compliant (such as Tether / USDT), we advise a safe wrapper library to be utilized instead such as SafeERC20 by OpenZeppelin to opportunistically validate the returned bool only if it exists in each instance.
HKskn
commented
3 months ago
SLE-04S: Improper Invocations of EIP-20
transfer/transferFromDescription:
The linked statements do not properly validate the returned
boolvalues of the EIP-20 standardtransfer&transferFromfunctions. As the standard dictates, callers must not assume thatfalseis never returned.Impact:
If the code mandates that the returned
boolistrue, this will cause incompatibility with tokens such as USDT / Tether as no suchboolis returned to be evaluated causing the check to fail at all times. On the other hand, if the token utilized can return afalsevalue under certain conditions but the code does not validate it, the contract itself can be compromised as having received / sent funds that it never did.Example:
Recommendation:
Since not all standardized tokens are EIP-20 compliant (such as Tether / USDT), we advise a safe wrapper library to be utilized instead such as
SafeERC20by OpenZeppelin to opportunistically validate the returnedboolonly if it exists in each instance.