Booster Static Analysis Findings

BOO-01S: Improper Invocation of EIP-20 transferFrom

Description:

The linked statement does not properly validate the returned bool of the EIP-20 standard transferFrom function. As the standard dictates, callers must not assume that false is never returned.

Example:

Copy
320if (
321    extraRewardAmount != 0 &&
322    extraRewardsPools[_pid].virtualBalanceRewardPool != address(0x0)
323) {
324    IERC20(extraRewardsPools[_pid].token).transferFrom(
325        address(depositorProxy),
326        address(this),
327        extraRewardAmount
328    );
329
330    SafeERC20.safeApprove(
331        IERC20(extraRewardsPools[_pid].token),
332        extraRewardsPools[_pid].virtualBalanceRewardPool,
333        0
334    );
335    SafeERC20.safeApprove(
336        IERC20(extraRewardsPools[_pid].token),
337        extraRewardsPools[_pid].virtualBalanceRewardPool,
338        extraRewardAmount
339    );
340
341    IVirtualBalanceRewardPool(
342        extraRewardsPools[_pid].virtualBalanceRewardPool
343    ).queueNewRewards(extraRewardAmount);
344}

Recommendation:

Since not all standardized tokens are EIP-20 compliant (such as Tether / USDT), we advise a safe wrapper library to be utilized instead such as SafeERC20 by OpenZeppelin to opportunistically validate the returned bool only if it exists.

Alleviation:

The bool variables are now utilized directly.

BOO-02S: Redundant bool Variable Comparison

Description:

The linked statements perform a direct comparison between a bool variable and a bool literal.

Example:

Copy
412if (distributeRewards == true) {

Recommendation:

We advise the bool variable to be utilized directly instead either in its normal or negated (!) form.

Alleviation:

The safeTransferFrom function is now properly utilized in the code.