Skip to content
This repository has been archived by the owner on May 26, 2023. It is now read-only.

Latest commit

 

History

History
46 lines (27 loc) · 1.56 KB

007.md

File metadata and controls

46 lines (27 loc) · 1.56 KB
Raw

seeu

high

ERC20 transferFrom is not checked

Summary

ERC20 transferFrom is not checked

Vulnerability Detail

Upon successful completion, the transferFrom method returns a boolean value. To determine whether the transfer was successful, this metric must be examined.

Impact

If the transfer fails, certain tokens return false rather than reverting. Even when a token returns false and doesn't really complete the transfer, it is still considered a successful transfer.

Some examples are EURS and BAT that return false instead of reverting but the transaction will still be counted as successful.

Code Snippet

optimism/packages/contracts-bedrock/contracts/L1/L1ERC721Bridge.sol#L101

IERC721(_localToken).transferFrom(_from, address(this), _tokenId);

Tool used

  • Manual Review

Recommendation

Check the value of transferFrom. Alternatively, it is advised to use OpenZeppelin's SafeERC20.

An exampe is the following:

import {SafeERC20} from "openzeppelin/token/utils/SafeERC20.sol";

// ...

IERC721(_localToken).safeTransferFrom(_from, address(this), _tokenId);

A reference: