ERC20 implementations are not always consistent. Some implementations of transfer and transferFrom could return false on failure instead of reverting. It is safer to wrap such calls into require() statements or use safe wrapper functions implementing return value/data checks to handle these failures. For reference, see similar Medium-severity finding from Consensys Diligence Audit of Aave Protocol V2.
While the contract uses Uniswap's TransferHelper library function safeTransfer in other places for ERC20 tokens (which call the token's transfer / transferFrom functions and check return value for success and return data), it misses using TransferHelper.safeTransferFrom in some cases without checking for its return value.
Deivitto
medium
erc20 not checked on transfer
Summary
erc20 not checked on transfer
Vulnerability Detail
ERC20 implementations are not always consistent. Some implementations of
transfer
andtransferFrom
could returnfalse
on failure instead of reverting. It is safer to wrap such calls intorequire()
statements or use safe wrapper functions implementing return value/data checks to handle these failures. For reference, see similar Medium-severity finding from Consensys Diligence Audit of Aave Protocol V2.While the contract uses Uniswap's TransferHelper library function
safeTransfer
in other places for ERC20 tokens (which call the token'stransfer
/transferFrom
functions and check return value for success and return data), it misses usingTransferHelper.safeTransferFrom
in some cases without checking for its return value.See similar issue previously reported
Impact
Lose of assets
Code Snippet
https://github.com/sherlock-audit/2023-01-uxd/blob/main/contracts/integrations/perp/PerpDepository.sol#L220
https://github.com/sherlock-audit/2023-01-uxd/blob/main/contracts/integrations/perp/PerpDepository.sol#L301
https://github.com/sherlock-audit/2023-01-uxd/blob/main/contracts/integrations/perp/PerpDepository.sol#L519
https://github.com/sherlock-audit/2023-01-uxd/blob/main/contracts/integrations/perp/PerpDepository.sol#L639
https://github.com/sherlock-audit/2023-01-uxd/blob/main/contracts/core/UXDController.sol#L195
https://github.com/sherlock-audit/2023-01-uxd/blob/main/contracts/integrations/perp/PerpDepository.sol#L197
https://github.com/sherlock-audit/2023-01-uxd/blob/main/contracts/integrations/perp/PerpDepository.sol#L512
https://github.com/sherlock-audit/2023-01-uxd/blob/main/contracts/integrations/perp/PerpDepository.sol#L626
https://github.com/sherlock-audit/2023-01-uxd/blob/main/contracts/core/UXDController.sol#L225
https://github.com/sherlock-audit/2023-01-uxd/blob/main/contracts/governance/UXDGovernor.sol#L213
https://github.com/sherlock-audit/2023-01-uxd/blob/main/contracts/governance/UXDTimelockController.sol#L63
Tool used
Manual Review
Recommendation
As already done in Uniswapper