Assessment reportsPublic findings
Back to Zellic siteBack
Assessment reports>StakeKit FeeWrapper>Medium findings>The ,transferFrom, function could fail
GeneralOverview
Findings
Medium (3)The transferFrom function could failThe approve function could failRounding errors in computing fee
DiscussionUse of ReentrancyGuard is recommendedNo proxy pattern for upgradesNo test coverage for nonstandard ERC-20 tokens
Threat ModelWhat are threat models?FeeManager.solFeeWrapper4626.sol
Audit ResultsAssessment Results
Category: Business Logic

The transferFrom function could fail

Medium Impact
Medium Severity
Medium Likelihood

Description

The FeeWrapper4626 vault currently uses the transferFrom function to transfer ERC-20 tokens. However, some nonstandard ERC-20 tokens, such as USDT, do not return a success status from their transferFrom function. This deviation from the standard EIP-20 implementation can lead to unexpected behavior in the protocol.

Impact

Incompatibility with some nonstandard tokens.

Recommendations

We recommend using OpenZeppelin’s SafeERC20 versions with the safeTransfer and safeTransferFrom functions that handle the return-value check, as well as non--standard-compliant tokens.

Remediation

This issue has been acknowledged by StakeKit. The issue was fixed with commit . They now handle nonstandard ERC20 tokens using OpenZeppelin’s SafeERC20 Library.

Zellic © 2025Back to top ↑