Assessment reportsPublic findings
Back to Zellic site
Assessment reports>Gasp Node and Monorepo>Medium findings>Raw ERC-20 interface usage
GeneralOverview
Findings
Critical (2)
High (1)
Medium (1)Raw ERC-20 interface usage
Low (2)
Informational (3)
DiscussionMixed-endian usage could cause unintended behavior
DesignRolldown Solidity contract
Threat ModelWhat are threat models?FinalizerTaskManager.solRolldown.sol
Audit ResultsAssessment Results
Category: Coding Mistakes

Raw ERC-20 interface usage

Medium Severity
Medium Impact
Low Likelihood

Description

The deposit_erc20 function directly uses the ERC-20 transferFrom interface to transfer tokens. The call is wrapped in a require statement. While this is technically correct, some tokens do not implement the ERC-20 standard correctly, including not returning a boolean value from transferFrom. Notably, this includes USDT and BNB.

Additionally, the process_erc20_withdrawal function does not check the return value of the transfer; some tokens do not revert but return false if a transfer fails.

Impact

The code may not be compatible with several assets, including USDT and BNB.

Recommendations

We recommend using SafeERC20 for handling the ERC-20 tokens, as it guarantees compatibility with the vast majority of popular assets without compromising on security checks.

Remediation

This issue has been acknowledged by Gasp, and fixes were implemented in the following commits:

Zellic © 2025Back to top ↑