Why you should ALWAYS use SafeERC20 (2024)

So… I recently participated in the Codehawks decentralized stablecoin contest, and I reported a valid medium risk issue, you can also watch the following video tutorial:

Today we will explore a real-world scenario form auditing contest that highlights the potential vulnerabilities associated with non-standard ERC20 tokens and delve into how the SafeERC20 library can mitigate such risks.

The root cause of this issue lies in the unique characteristics of USDT or other similar tokens as non-standard ERC20 tokens.

Unlike standard ERC20 tokens that return a boolean value upon executing transfer and transferFrom operations and revert the transaction in case of failure, USDT lacks this crucial feature.

Which means that if you check the return value of the transfer or transferFrom function it will always be false (the default value), which could lead to unexpected behaviour and DOS attack on the protocol

If you feel that you need to strengthen your solidity and security practices and you want to really understand the ERC20 standard, DOS attacks, and many more concepts, check out the smart contract hacking course:

SafeERC20 by Openzeppelin comes to the rescue by providing a solution to the challenges posed by non-standard ERC20 tokens.

SafeERC20 offers versions of the safeTransfer and safeTransferFrom functions, which go beyond the traditional transfer methods. These functions not only handle the standard ERC20 tokens but also accommodate non-standard-compliant tokens like USDT.

They way it works is that we use use the safeTransfer and safeTransferFrom functions from the SafeERC20 library to wrap the original ERC20 transfer and transferFrom functions

These “safe” functions make sure that in case the tokens we’re interacting with returns a boolean value (but only if it returns something), the transaction will be reverted, usign this library we can make sure all those weird ERC20 implementations don’t break our protocol.

In 3 simple steps:

Step 1 — Import the library

import "@openzeppelin/contracts/token/ERC20/utils/SafeERC20.sol";

Step 2 — Use the library

using SafeERC20 for IERC20;

Step 3 — Use the functions

usdc.safeTransferFrom(msg.sender, address(this), requiredAmount);