Assessment reportsPublic findings
Back to Zellic site
Assessment reports>Palmy Finance>Informational findings>Return value from ,transferFrom, should be checked
GeneralOverview
Findings
High (5)
Medium (3)
Low (1)
Informational (2)Unchecked return value from `transferFrom`Centralization risk
DiscussionTest suiteOracle risksUnused codeTypos
Threat ModelWhat are threat models?FeeDistributor.solLeverager.solVoter.solVotingEscrow.sol
Audit ResultsSummary
Category: Coding Mistakes

Return value from transferFrom should be checked

Informational Severity
Informational Impact
N/A Likelihood

Description

The Leverager and IncentivesController contracts use the transferFrom function but do not validate the return value. The transferFrom function is not required to revert when the transfer fails (due to the insufficient balance or approval) under the ERC-20 token standard, and some ERC-20 tokens return false rather than revert in fact.

Impact

This can lead to unexpected results on the features of these contracts (e.g., transferring the incomplete reward to the user in case the rewards vault has insufficient balance or reverting). The lack of checks in these contracts do not cause the loss of funds.

Recommendations

Consider checking the return value from transferFrom.

Remediation

Zellic © 2025Back to top ↑