xPTP Manual Review Findings

PTP-01M: Improper Invocation of EIP-20 transferFrom

Description:

The linked statement does not properly validate the returned bool of the EIP-20 standard transferFrom function. As the standard dictates, callers must not assume that false is never returned, however, certain tokens such as USDT (Tether) are non-standard and yield no bool causing such checks to fail.

Example:

Copy
19require(ERC20(ptp).transferFrom(msg.sender, mainContract, _amount));

Recommendation:

We advise a safe wrapper library to be utilized instead such as SafeERC20 by OpenZeppelin to opportunistically validate the returned bool only if it exists.

Alleviation:

The safeTransferFrom function is now properly utilized.