This repository has been archived by the owner on Nov 26, 2023. It is now read-only.
BAHOZ - Return of arbitrary ERC20 transfer is not checked in escrow #85
Comments
github-actions
bot
added
Medium
You've deleted an escalation for this issue. |
sherlock-admin
added
Escalated
Sign up for free
to subscribe to this conversation on GitHub.
Already have an account?
Sign in.
BAHOZ
medium
Return of arbitrary ERC20 transfer is not checked in escrow
Summary
The return value of erc20.transfer call in
transferERC20()is not checked.Vulnerability Detail
Several tokens do not revert in case of transfer failure and return
falseinstead. If one of these tokens is used here, although transfer fails,transferERC20()will not revert. Moreover, the return value is not returned to the caller, which makes it impossible to handle this issue in case it is called by another contract that expects a successful transfer.Impact
Depending on where the function is called from, the impact can be quite severe.
Code Snippet
https://github.com/sherlock-audit/2023-04-footium/blob/main/footium-eth-shareable/contracts/FootiumEscrow.sol#L110
Tool used
Static Analysis
Recommendation
Require the return value of the transfer to be
trueor use OZ'sSafeERC20wrapper for ERC20 tokens.Duplicate of #86
The text was updated successfully, but these errors were encountered: