thisvishalsingh - Arbitrary from passed to YieldToken::transferFrom lead to loss of funds.
thisvishalsingh
title: "Arbitrary from passed to YieldToken::transferFrom lead to loss of funds."
labels: "High"
Summary
Not all ERC20 tokens are compliant to the EIP20 standard. Some do not return boolean flag, some do not revert on failure.
Use safeTransferFrom consistently instead of transferFrom
Vulnerability Detail
Some [weird-erc20] tokens do not revert on failure, but instead return false (e.g. ZRX).
Passing an arbitrary from address to transferFrom (or safeTransferFrom) can lead to loss of funds, because anyone can transfer tokens from the from address if an approval is made.
thisvishalsingh
medium
thisvishalsingh - Arbitrary from passed to YieldToken::transferFrom lead to loss of funds.
thisvishalsingh
title: "Arbitrary
from
passed toYieldToken::transferFrom
lead to loss of funds." labels: "High"Summary
Not all ERC20 tokens are compliant to the EIP20 standard. Some do not return boolean flag, some do not revert on failure. Use
safeTransferFrom
consistently instead oftransferFrom
Vulnerability Detail
Some [weird-erc20] tokens do not revert on failure, but instead return false (e.g. ZRX).
https://github.com/d-xo/weird-erc20/#no-revert-on-failure
YieldToken::transferfrom
is directly used to send tokens. If the token send fails, it will cause a lot of serious problems.Impact
Passing an arbitrary
from
address totransferFrom
(orsafeTransferFrom
) can lead to loss of funds, because anyone can transfer tokens from thefrom
address if an approval is made.Code Snippet
Tool used
Manual Review
Recommendation
Consider using
safeTransferFrom
consistently.