FLOW-13: ERC20 Transfer Success Is Not Verified #28
Description
Severity: Informational
Files Affected
cadence/contracts/FlowYieldVaultsEVM.cdc
Description
FlowYieldVaultsEVM.Worker.bridgeERC20ToEVM() sends ERC20 funds to an EVM user by calling depositTokens() into the COA and then performing a low-level call to the ERC20 transfer(address,uint256) function, only checking transferResult.status for EVM-level success.
Similarly, completeProcessing() relies on an ERC20 approve() call from the COA before calling the EVM completeProcessing() function that will pull funds via transferFrom.
However, many ERC20 variants do not revert on failure and instead return false (or use non-standard return conventions), meaning the EVM call can be "successful" while the token transfer/approval semantically failed. In those cases, the worker will proceed as if the user was paid (or as if refund allowance was granted), potentially finalizing requests without delivering funds or making refunds impossible to execute.
Recommendation
Validate ERC20 call return data for transfer/approve (when present) and treat a false return value as failure; additionally, restrict supported tokens to audited, standard-compliant ERC20s and enforce onboarding checks in configuration.
Parent Issue: #15