The SlowMist security team has discovered a vulnerability in the LDO token contract. When processing transfer operations, if the transfer amount exceeds the user's actual holdings, the operation does not trigger a rollback of the transaction. Instead, it directly returns a 'false' as the processing result. This handling method is different from many common ERC20 standard token contracts.
Due to this characteristic, there is a potential risk of 'fake deposit'. Malicious attackers may attempt to exploit this feature for fraudulent activities.
SlowMist suggests the following:
1. When processing token arrival logic, do not rely solely on the success or failure of the transaction. Instead, make judgments based on the actual return value of the token contract.
2. Be aware that there are many non-ERC20 standard token contracts in the market. Before integrating new tokens, thoroughly understand and analyze their contract code to ensure the correct implementation of deposit logic.
3. It is recommended to conduct regular code audits and security checks to ensure the robustness and security of the system.
Token contract implementation and behavior may vary by project. To ensure the safety of funds and the accuracy of transactions, it is strongly advised to thoroughly understand the contract logic and conduct sufficient testing before integrating any new tokens.
