Ethereum Smart Contract Implicit Return can go wrong!

Recently ARAW (araw.io) was listed on the IDEX and immediately they had to de-list due to deposits were failing on their platform. IDEX team tried to investigate the issue but it wasn’t straight forward issue to resolve. That’s where the technical challenge came to me. It’s one of my favourite things to investigate technical problems.

IDEX Smart Contract

https://etherscan.io/address/0x2a0c0dbecc7e4d658f48e01e3fa353f44050c208#code

The issue created due to the following line

if (!Token(token).transferFrom(msg.sender, this, amount)) throw;

Open Zepplin Standard for TransferFrom function is

function transferFrom(
address _from,
address _to,
uint256 _value
)
public
returns (bool)
{
require(_to != address(0));
require(_value <= balances[_from]);
require(_value <= allowed[_from][msg.sender]);

balances[_from] = balances[_from].sub(_value);
balances[_to] = balances[_to].add(_value);
allowed[_from][msg.sender] = allowed[_from][msg.sender].sub(_value);
emit Transfer(_from, _to, _value);
return true;
}

transferFrom function always returns True or Throw. It never-ever returns FALSE so checking and negating the transferFrom condition doesn’t make sense most of the cases but IDEX handles 100s of tokens contract and many contracts explicitly returns FALSE if they want to fail the transaction so it makes sense for them to have this condition.

ARAW Token Smart Contract

https://etherscan.io/address/0x30680ac0a8a993088223925265fd7a76beb87e7f#code

function transferFrom(address _from, address _to, uint256 _value)
public
checkAfterICOLock
returns (bool) {
super.transferFrom(_from, _to, _value);
}

Technically this is wrong as it does implicit return false as a missing return from this function but Logically it’s okay as transferFrom either returns True or Throws so code who is calling this method doesn’t require to check the return value — I would admit this was my wrong thinking!

Key Points

• For best practice, it’s always good to return True explicitly from transferFrom function
• Solidity should not allow implicit return — I would expect language should return Error message when return is not specified explicitly

..So How to Solve this Issue?

Two ways

1. IDEX update their smart contract to remove the condition which will allow them to support many token contracts that use implicit return as ARAW does.

They may not want to take a RISK as they expect Token Contract to send True or False if Token Contract has some Custom Methods but in that case, based on ERC-20 standard transferFrom should Throw not return False so it’s kind of debate what’s best to follow.

2. ARAW creates a new contract avoiding implicit return False in transferFrom and then do the token swap.

[Update]

After researching and re-thinking; I would agree that ARAW token smart contract needs to be updated as function should always return true or throw based on ERC-20 standard. There are contracts return false when they want to fail the transaction.