Bnke0x0
high
The Bank._transferOut function uses the standard IERC20 function for the transfer call and proceeds with a checkReturnCode function to handle non-standard compliant tokens that don't return a return value. However, this does not work as a calling TokenUtils.transfer(dataStore, token, receiver, amount); already reverts if the token does not return a return value, as token's IERC20.transfer is defined to always return a boolean.
When using any non-standard compliant token like USDT, the function will revert. Deposits for these tokens are broken, which is bad as USDT is a valid underlying for the cUSDT cToken.
https://github.com/sherlock-audit/2023-02-gmx/blob/main/gmx-synthetics/contracts/bank/Bank.sol#L97
'TokenUtils.transfer(dataStore, token, receiver, amount);'
Manual Review
We recommend using OpenZeppelin’s SafeERC20 versions with the safeApprove function that handles the return value check as well as non-standard-compliant tokens.