Adoption

Agent Skills are supported by leading AI development tools.

VS Code Gemini CLI GitHub Goose Amp Cursor Claude Code Letta OpenCode Claude OpenAI Codex Factory VS Code Gemini CLI GitHub Goose Amp Cursor Claude Code Letta OpenCode Claude OpenAI Codex Factory

apegurus/unsafe-erc20-transfers

Name: unsafe-erc20-transfers
Author: apegurus

skills/vulnerability-patterns/unsafe-erc20-transfers/SKILL.md

npx skillsauth add apegurus/solidity-argus unsafe-erc20-transfers

Clean

TrivyContainer and dependency vulnerability scanner

Clean

SemgrepStatic code analysis for vulnerabilities

Clean

mcp-scan (Snyk)Model Context Protocol security validation

Skipped

Snyk (dep)Open source security scanning

Skipped

Socket.devSupply chain security analysis

Skipped

VirusTotalMulti-engine malware detection

Skipped

CrowdStrikeAdvanced threat intelligence

Skipped

OSV-ScannerOpen Source Vulnerability database check

Skipped

OWASP Dep-Check

Unsafe ERC20 Transfer and Approve Calls

Overview

The standard ERC20 interface specifies that transfer(), transferFrom(), and approve() return a bool indicating success. However, many widely-used tokens deviate from this standard:

USDT does not return a boolean on transfer/approve
BNB, OMG have missing return values
Some tokens return false on failure instead of reverting

Contracts that call these functions directly (without SafeERC20) either:

Ignore the return value → silent failure, tokens not actually transferred
Expect a boolean return → revert on tokens that don't return one (like USDT)

Severity: Low to Medium

Prevalence: Found in 4 independent BailSec audits: Hypertrade V3 Core, Meuna, Robinos, SwapX Exchange.

Vulnerable Pattern

// VULNERABLE: Direct transfer — no return value check
function withdraw(address token, uint256 amount) external {
    IERC20(token).transfer(msg.sender, amount);
    // If token returns false instead of reverting, this silently fails
    // If token doesn't return bool (USDT), this reverts unexpectedly
    balances[msg.sender] -= amount;  // State updated even if transfer failed!
}

// VULNERABLE: Direct approve — breaks with USDT
function approveSpender(address token, address spender, uint256 amount) external {
    IERC20(token).approve(spender, amount);
    // USDT requires setting allowance to 0 before changing to non-zero
    // Direct approve also doesn't handle missing return values
}

Secure Pattern

import {SafeERC20} from "@openzeppelin/contracts/token/ERC20/utils/SafeERC20.sol";

using SafeERC20 for IERC20;

// SECURE: SafeERC20 handles all non-standard token behaviors
function withdraw(address token, uint256 amount) external {
    IERC20(token).safeTransfer(msg.sender, amount);
    // Reverts on failure for ALL token types
    balances[msg.sender] -= amount;
}

// SECURE: forceApprove handles USDT's approve quirk
function approveSpender(address token, address spender, uint256 amount) external {
    IERC20(token).forceApprove(spender, amount);
    // Sets to 0 first if needed (USDT), handles missing return values
}

Impact

Silent failure: Token transfer returns false but contract proceeds as if successful — leads to accounting mismatch
Unexpected revert: Contract fails on widely-used tokens (USDT, BNB) that don't conform to standard return types
Stuck funds: Approve fails on USDT when changing non-zero allowance without zeroing first
Loss of funds: State changes applied after a silently failed transfer result in fund loss

Affected Token Examples

| Token | Issue | Consequence | |-------|-------|-------------| | USDT | No bool return on transfer/approve | Reverts if caller expects bool return | | USDT | Requires approve(0) before approve(N) | Approve fails for non-zero to non-zero | | BNB | Missing return value | Reverts on standard interface call | | OMG | Missing return value | Reverts on standard interface call | | ZRX | Returns false on failure (no revert) | Silent failure if return unchecked |

Detection Checklist

Does the contract use IERC20.transfer() or IERC20.transferFrom() directly?
Is OpenZeppelin's SafeERC20 imported and applied via using SafeERC20 for IERC20?
Are safeTransfer, safeTransferFrom, and forceApprove used instead of raw calls?
Does the contract need to support USDT or other non-standard tokens?

Relationship to Other Patterns

unchecked-return-values: Covers low-level .call(), .send(), .delegatecall() return values — different from ERC20 interface returns
weird-tokens: Broader reference covering all non-standard token behaviors — this skill focuses specifically on the transfer/approve safety wrapper pattern
fee-on-transfer-tokens: Covers amount mismatch due to transfer fees — complementary to this pattern

Remediation

Use SafeERC20: Import and apply using SafeERC20 for IERC20 for all ERC20 interactions
Use forceApprove: Replace approve() with forceApprove() to handle USDT
Audit token list: Verify which tokens the protocol supports and test with non-standard ones
Add integration tests: Test deposit/withdraw flows with USDT, USDC, and at least one missing-return-value token

References

OpenZeppelin SafeERC20
Weird ERC20 — Missing Return Values
BailSec audit reports: Hypertrade V3 Core, Meuna, Robinos, SwapX Exchange

apegurus/unsafe-erc20-transfers

skills/vulnerability-patterns/unsafe-erc20-transfers/SKILL.md

Unsafe ERC20 transfer and approve calls that silently fail on non-standard tokens.

data-ai

Updated May 13, 2026

$ install --global

skillsauth

npx skillsauth add apegurus/solidity-argus unsafe-erc20-transfers

Install this skill globally with one command. Works with Claude Code, Cursor, and Windsurf.

Security Scan Results

3 of 9 scanners reported clean

Some scanners were skipped, did not run, or reported a non-clean status. Review each row below.

Scanners Passed

Scanners in report

Clean

TrivyContainer and dependency vulnerability scanner

95%

Clean

SemgrepStatic code analysis for vulnerabilities

95%

Clean

mcp-scan (Snyk)Model Context Protocol security validation

95%

Skipped

Snyk (dep)Open source security scanning

50%

Skipped

Socket.devSupply chain security analysis

50%

Skipped

VirusTotalMulti-engine malware detection

50%

Skipped

CrowdStrikeAdvanced threat intelligence

50%

Skipped

OSV-ScannerOpen Source Vulnerability database check

50%

Skipped

OWASP Dep-Check

50%

Last scanned: May 13, 2026, 3:32 AM159.4s1 file scanned

SKILL.md

name:: unsafe-erc20-transfers
description:: Interface-cast ERC20 approve without safe wrapper — return value not checked
category:: vulnerability-pattern
pattern_category:: token-standard
source_url:: https://github.com/bailsec/BailSec
source_license:: CC0
imported_at:: 2026-02-20T00:00:00Z
- regex:: IERC20$[^)]+$\.approve
severity:: Medium
confidence:: High

Unsafe ERC20 Transfer and Approve Calls

Overview

The standard ERC20 interface specifies that transfer(), transferFrom(), and approve() return a bool indicating success. However, many widely-used tokens deviate from this standard:

USDT does not return a boolean on transfer/approve
BNB, OMG have missing return values
Some tokens return false on failure instead of reverting

Contracts that call these functions directly (without SafeERC20) either:

Ignore the return value → silent failure, tokens not actually transferred
Expect a boolean return → revert on tokens that don't return one (like USDT)

Severity: Low to Medium

Prevalence: Found in 4 independent BailSec audits: Hypertrade V3 Core, Meuna, Robinos, SwapX Exchange.

Vulnerable Pattern

// VULNERABLE: Direct transfer — no return value check
function withdraw(address token, uint256 amount) external {
    IERC20(token).transfer(msg.sender, amount);
    // If token returns false instead of reverting, this silently fails
    // If token doesn't return bool (USDT), this reverts unexpectedly
    balances[msg.sender] -= amount;  // State updated even if transfer failed!
}

// VULNERABLE: Direct approve — breaks with USDT
function approveSpender(address token, address spender, uint256 amount) external {
    IERC20(token).approve(spender, amount);
    // USDT requires setting allowance to 0 before changing to non-zero
    // Direct approve also doesn't handle missing return values
}

Secure Pattern

import {SafeERC20} from "@openzeppelin/contracts/token/ERC20/utils/SafeERC20.sol";

using SafeERC20 for IERC20;

// SECURE: SafeERC20 handles all non-standard token behaviors
function withdraw(address token, uint256 amount) external {
    IERC20(token).safeTransfer(msg.sender, amount);
    // Reverts on failure for ALL token types
    balances[msg.sender] -= amount;
}

// SECURE: forceApprove handles USDT's approve quirk
function approveSpender(address token, address spender, uint256 amount) external {
    IERC20(token).forceApprove(spender, amount);
    // Sets to 0 first if needed (USDT), handles missing return values
}

Impact

Silent failure: Token transfer returns false but contract proceeds as if successful — leads to accounting mismatch
Unexpected revert: Contract fails on widely-used tokens (USDT, BNB) that don't conform to standard return types
Stuck funds: Approve fails on USDT when changing non-zero allowance without zeroing first
Loss of funds: State changes applied after a silently failed transfer result in fund loss

Affected Token Examples

Detection Checklist

Does the contract use IERC20.transfer() or IERC20.transferFrom() directly?
Is OpenZeppelin's SafeERC20 imported and applied via using SafeERC20 for IERC20?
Are safeTransfer, safeTransferFrom, and forceApprove used instead of raw calls?
Does the contract need to support USDT or other non-standard tokens?

Relationship to Other Patterns

unchecked-return-values: Covers low-level .call(), .send(), .delegatecall() return values — different from ERC20 interface returns
weird-tokens: Broader reference covering all non-standard token behaviors — this skill focuses specifically on the transfer/approve safety wrapper pattern
fee-on-transfer-tokens: Covers amount mismatch due to transfer fees — complementary to this pattern

Remediation

Use SafeERC20: Import and apply using SafeERC20 for IERC20 for all ERC20 interactions
Use forceApprove: Replace approve() with forceApprove() to handle USDT
Audit token list: Verify which tokens the protocol supports and test with non-standard ones
Add integration tests: Test deposit/withdraw flows with USDT, USDC, and at least one missing-return-value token

References

OpenZeppelin SafeERC20
Weird ERC20 — Missing Return Values
BailSec audit reports: Hypertrade V3 Core, Meuna, Robinos, SwapX Exchange

Related Skills

apegurus/vector-scan

testing

VerifiedTrustedCommunity

Specialist profile for mechanically applying the attack-vector deck and classifying vectors as skip, drop, or investigate.

SKILL.mdUpdated May 30, 2026

apegurus/periphery

tools

VerifiedTrustedCommunity

Specialist profile for libraries, helpers, base contracts, adapters, encoders, wrappers, and integration glue.

SKILL.mdUpdated May 30, 2026

apegurus/math-precision

testing

VerifiedTrustedCommunity

Specialist profile for rounding, scale, decimal, downcast, and arithmetic accounting edge cases.

SKILL.mdUpdated May 30, 2026

apegurus/math-precision

apegurus/invariant

testing

VerifiedTrustedCommunity

Specialist profile for extracting conservation laws and state couplings, then searching for violating paths.

SKILL.mdUpdated May 30, 2026

Download

For Claude Desktop. Download once, then upload the file in the app — no terminal needed.

Need help? View full Cowork setup guide →

Install manually

Choose your platform

# Clone the repo
git clone https://github.com/apegurus/solidity-argus.git

# Copy into Claude Code skills folder (global)
cp -r solidity-argus/skills/vulnerability-patterns/unsafe-erc20-transfers ~/.claude/skills/

Claude Code Skills — official skills path docs.

Repository

apegurus/solidity-argus

Compatible with

Claude Code

OpenAI Codex CLI

ChatGPT