3 min read · Sep 6, 2023
--
So… I recently participated in the Codehawks decentralized stablecoin contest, and I reported a valid medium risk issue, you can also watch the following video tutorial:
Today we will explore a real-world scenario form auditing contest that highlights the potential vulnerabilities associated with non-standard ERC20 tokens and delve into how the SafeERC20 library can mitigate such risks.
The root cause of this issue lies in the unique characteristics of USDT or other similar tokens as non-standard ERC20 tokens.
Unlike standard ERC20 tokens that return a boolean value upon executing transfer and transferFrom operations and revert the transaction in case of failure, USDT lacks this crucial feature.
Which means that if you check the return value of the transfer
or transferFrom
function it will always be false (the default value), which could lead to unexpected behaviour and DOS attack on the protocol
If you feel that you need to strengthen your solidity and security practices and you want to really understand the ERC20 standard, DOS attacks, and many more concepts, check out the smart contract hacking course:
SafeERC20 by Openzeppelin comes to the rescue by providing a solution to the challenges posed by non-standard ERC20 tokens.
SafeERC20 offers versions of the safeTransfer
and safeTransferFrom
functions, which go beyond the traditional transfer methods. These functions not only handle the standard ERC20 tokens but also accommodate non-standard-compliant tokens like USDT.
They way it works is that we use use the safeTransfer
and safeTransferFrom
functions from the SafeERC20 library to wrap the original ERC20 transfer
and transferFrom
functions
These “safe” functions make sure that in case the tokens we’re interacting with returns a boolean value (but only if it returns something), the transaction will be reverted, usign this library we can make sure all those weird ERC20 implementations don’t break our protocol.
In 3 simple steps:
Step 1 — Import the library
import "@openzeppelin/contracts/token/ERC20/utils/SafeERC20.sol";
Step 2 — Use the library
using SafeERC20 for IERC20;
Step 3 — Use the functions
usdc.safeTransferFrom(msg.sender, address(this), requiredAmount);