Description

When processing ERC-20 payments, the payBills function calls transferFrom directly, requiring the return value of the token to be true, indicating success.

Unfortunately, some tokens — including USDT and BNB on some chains — do not strictly adhere to the ERC-20 standard; their transferFrom function does not return a value.

Impact

The AcctualBatchBillPay contract has interoperability issues with tokens it may need to operate with, at the time of this writing or in the future.

Recommendations

Use a SafeERC20 library (such as OpenZeppelin) to ensure maximum compatibility.

For reference, this is a list of other ERC-20 tokens with various quirks, including but not limited to missing return values: https://github.com/d-xo/weird-erc20.

Remediation

This issue has been acknowledged by Acctual, and a fix was implemented in commit 3e095382↗.