Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

the TransferHelper will not work with USDT #108

Open
hats-bug-reporter bot opened this issue Oct 15, 2024 · 1 comment
Open

the TransferHelper will not work with USDT #108

hats-bug-reporter bot opened this issue Oct 15, 2024 · 1 comment
Labels
bug Something isn't working invalid This doesn't seem right

Comments

@hats-bug-reporter
Copy link

Github username: --
Twitter username: --
Submission hash (on-chain): 0x813181e42fd163f8e690aaf146d9cddfc36d53fcbcb68173accb75c6b00fce87
Severity: medium

Description:
The safeTransferFrom() function used to transfer erc20 tokens

function safeTransferFrom(
        address token,
        address from,
        address to,
        uint256 value
    ) internal {
        (bool success, bytes memory data) =
                            token.call(abi.encodeWithSelector(IERC20.transferFrom.selector, from, to, value));
        require(success && (data.length == 0 || abi.decode(data, (bool))), 'STF');
    }

but the issue is this will not work with USDT because as we know USDT not implemented fully erc20 standard and it doesnt return bool.

therefor if protocol wanted to support USDT tokens in future, users will not be able to use it because all swaps will revert due to this issue.

POC
please run this POC

// SPDX-License-Identifier: UNLICENSED
pragma solidity ^0.8.13;

import {Test, console} from "forge-std/Test.sol";

interface IERC20{
    function transferFrom(address from, address to, uint256 value) external returns (bool);
    function balanceOf(address account) external view returns (uint256);
}

contract TransferTest is Test {
    IERC20 public usdt;

    function setUp() public {
      usdt = IERC20(0xdAC17F958D2ee523a2206206994597C13D831ec7);
    }

    function safeTransferFrom(
        address token,
        address from,
        address to,
        uint256 value
    ) internal {
        (bool success, bytes memory data) =
                            token.call(abi.encodeWithSelector(IERC20.transferFrom.selector, from, to, value));
        require(success && (data.length == 0 || abi.decode(data, (bool))), 'STF');
    }

    function test_poc() public{
        deal(address(usdt), address(this), 100e6);
        deal(address(usdt), address(msg.sender), 0);
        console.log(usdt.balanceOf(address(this)));
        safeTransferFrom(address(usdt), address(this), msg.sender, 100e6);
        console.log(usdt.balanceOf(address(this)));
        console.log(usdt.balanceOf(address(msg.sender)));
    }


}

Recommendation
to prevent this issue consider using OZ safeTransferFrom() and safeTransfer()
@hats-bug-reporter hats-bug-reporter bot added the bug Something isn't working label Oct 15, 2024
@omega-audits omega-audits added the invalid This doesn't seem right label Oct 15, 2024
@omega-audits
Copy link

There's no issue with the Oasis USDT contract

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees
No one assigned
Labels
bug Something isn't working invalid This doesn't seem right
Projects
None yet
Milestone
No milestone
Development

No branches or pull requests
1 participant
@omega-audits