WETH contract on different chains

Did you know that the WETH contract can be slightly different on different chains? It can play a costly trick on your code during token transfers. Let's see what can go wrong.

There was a Med severity issue on the Abracadabra Money protocol. There’s a method to create a pool for native tokens by wrapping them to their “wrapped” counterpart before sending them to the newly created pool.

See the code below, line 92

The transfer done using address(weth).safeTransferFrom.

This works fine on most chains (Ethereum, Optimism, Polygon, BSC) which uses the standard WETH9 contract that handles the case when src == msg.sender:

The problem is that the WETH implementation on Blast uses a different contract, and does not have this src == msg.sender handling.

Also, the issue is presented in Wrapped Arbitrum and Wrapped Fantom.

Blast contract:

Link: https://blastscan.io/address/0x4300000000000000000000000000000000000004#code

Be careful when using the same WETH functions for different chains. You should check the contract sourse code before each time you want to use that contract.