Raw ERC-20 interface usage
Description
The deposit_erc20
function directly uses the ERC-20 transferFrom
interface to transfer tokens. The call is wrapped in a require statement. While this is technically correct, some tokens do not implement the ERC-20 standard correctly, including not returning a boolean value from transferFrom
. Notably, this includes USDT and BNB.
Additionally, the process_erc20_withdrawal
function does not check the return value of the transfer
; some tokens do not revert but return false
if a transfer fails.
Impact
The code may not be compatible with several assets, including USDT and BNB.
Recommendations
We recommend using SafeERC20 for handling the ERC-20 tokens, as it guarantees compatibility with the vast majority of popular assets without compromising on security checks.
Remediation
This issue has been acknowledged by Gasp, and fixes were implemented in the following commits: