Omniscia Arcade Protocol Audit
V2ToV3Rollover Static Analysis Findings
V2ToV3Rollover Static Analysis Findings
VTV-01S: Improper Invocation of EIP-20 transfer
| Type | Severity | Location |
|---|---|---|
| Standard Conformity |  | V2ToV3Rollover.sol:L184 |
Description:
The linked statement does not properly validate the returned bool of the EIP-20 standard transfer function. As the standard dictates, callers must not assume that false is never returned.
Impact:
If the code mandates that the returned bool is true, this will cause incompatibility with tokens such as USDT / Tether as no such bool is returned to be evaluated causing the check to fail at all times. On the other hand, if the token utilized can return a false value under certain conditions but the code does not validate it, the contract itself can be compromised as having received / sent funds that it never did.
Example:
184asset.transfer(address(VAULT), flashAmountDue);Recommendation:
Since not all standardized tokens are EIP-20 compliant (such as Tether / USDT), we advise a safe wrapper library to be utilized instead such as SafeERC20 by OpenZeppelin to opportunistically validate the returned bool only if it exists.
Alleviation:
The SafeERC20::safeTransfer function is now properly utilized in place of the ERC20::transfer function invocation, ensuring that the asset is safely transferred to the VAULT and thus alleviating this exhibit.