search

sherlock-audit / 2024-02-telcoin-platform-audit-update-judging

3 stars 1 forks source link

prettychimes - [M-01] Use safeTransfer() instead of _transfer #68

Closed sherlock-admin2 closed 8 months ago

sherlock-admin2 commented 8 months ago

prettychimes

medium

[M-01] Use safeTransfer() instead of _transfer

Summary

transfer() might return false instead of reverting, in this case, ignoring the return value leads to considering it successful.

Vulnerability Detail

Tokens not compliant with the ERC20 specification could return false from the transfer function call to indicate the transfer fails, while the calling contract would not notice the failure if the return value is not checked. Checking the return value is a requirement, as written in the EIP-20 specification:

Callers MUST handle false from returns (bool success). Callers MUST NOT assume that false is never returned!

Impact

Tokens not compliant with the ERC20 specification could return false from the transfer function call to indicate the transfer fails, while the calling contract would not notice the failure if the return value is not checked.

Code Snippet

Referenced code: Stablecoin.sol#L124

Tool used

Manual Review

Recommendation

use safeTransfer() or check the return value if length of returned data is > 0.

sherlock-admin3 commented 8 months ago

1 comment(s) were left on this issue during the judging contest.

WangAudit commented:

low