20,000 USDC
View results
Submission Details
Severity: medium

Unsafe use of transfer()/transferFrom() with IERC20

Some tokens do not implement the ERC20 standard properly but are still accepted by most code that accepts ERC20 tokens. For example Tether (USDT)'s transfer() and transferFrom() functions on L1 do not return booleans as the specification requires, and instead have no return value. When these sorts of tokens are cast to IERC20, their function signatures do not match and therefore the calls made, revert (see this link for a test case). Use OpenZeppelin’s SafeERC20's safeTransfer()/safeTransferFrom() instead

There are 24 instances of this issue:

File: src/Fees.sol
43: IERC20(WETH).transfer(staking, IERC20(WETH).balanceOf(address(this)));

https://github.com/Cyfrin/2023-07-beedle/blob/658e046bda8b010a5b82d2d85e824f3823602d27/src/Fees.sol#L43

File: src/Staking.sol
39: TKN.transferFrom(msg.sender, address(this), _amount);
49: TKN.transfer(msg.sender, _amount);
55: WETH.transfer(msg.sender, claimable[msg.sender]);

https://github.com/Cyfrin/2023-07-beedle/blob/658e046bda8b010a5b82d2d85e824f3823602d27/src/Staking.sol#L39
https://github.com/Cyfrin/2023-07-beedle/blob/658e046bda8b010a5b82d2d85e824f3823602d27/src/Staking.sol#L49
https://github.com/Cyfrin/2023-07-beedle/blob/658e046bda8b010a5b82d2d85e824f3823602d27/src/Staking.sol#L55

File: src/Lender.sol
152: IERC20(p.loanToken).transferFrom(
153: p.lender,
154: address(this),
155: p.poolBalance - currentBalance
156: );
159: (p.loanToken).transfer(
160: p.lender,
161: currentBalance - p.poolBalance
162: );
187: IERC20(pools[poolId].loanToken).transferFrom(
188: msg.sender,
189: address(this),
190: amount
191: );
203: IERC20(pools[poolId].loanToken).transfer(msg.sender, amount);
267: IERC20(loan.loanToken).transfer(feeReceiver, fees);
269: IERC20(loan.loanToken).transfer(msg.sender, debt - fees);
271: ERC20(loan.collateralToken).transferFrom(
272: msg.sender,
273: address(this),
274: collateral
275: );
317: IERC20(loan.loanToken).transferFrom(
318: msg.sender,
319: address(this),
320: loan.debt + lenderInterest
321: );
323: IERC20(loan.loanToken).transferFrom(
324: msg.sender,
325: feeReceiver,
326: protocolInterest
327: );
329: IERC20(loan.collateralToken).transfer(
330: loan.borrower,
331: loan.collateral
332: );
403: IERC20(loan.loanToken).transfer(feeReceiver, protocolInterest);
505: IERC20(loan.loanToken).transfer(feeReceiver, protocolInterest);
563: IERC20(loan.collateralToken).transfer(feeReceiver, govFee);
565: IERC20(loan.collateralToken).transfer(
566: loan.lender,
567: loan.collateral - govFee
568: );
642: IERC20(loan.loanToken).transferFrom(
643: msg.sender,
644: address(this),
645: debtToPay - debt
646: );
651: IERC20(loan.loanToken).transfer(feeReceiver, fee);
653: IERC20(loan.loanToken).transfer(msg.sender, debt - debtToPay - fee);
656: IERC20(loan.loanToken).transfer(feeReceiver, protocolInterest);
663: IERC20(loan.collateralToken).transferFrom(
664: msg.sender,
665: address(this),
666: collateral - loan.collateral
667: );
670: IERC20(loan.collateralToken).transfer(
671: msg.sender,
672: loan.collateral - collateral
673: );

https://github.com/Cyfrin/2023-07-beedle/blob/658e046bda8b010a5b82d2d85e824f3823602d27/src/Lender.sol#L152-L156
https://github.com/Cyfrin/2023-07-beedle/blob/658e046bda8b010a5b82d2d85e824f3823602d27/src/Lender.sol#L159-L162
https://github.com/Cyfrin/2023-07-beedle/blob/658e046bda8b010a5b82d2d85e824f3823602d27/src/Lender.sol#L187-L191
https://github.com/Cyfrin/2023-07-beedle/blob/658e046bda8b010a5b82d2d85e824f3823602d27/src/Lender.sol#L203
https://github.com/Cyfrin/2023-07-beedle/blob/658e046bda8b010a5b82d2d85e824f3823602d27/src/Lender.sol#L267
https://github.com/Cyfrin/2023-07-beedle/blob/658e046bda8b010a5b82d2d85e824f3823602d27/src/Lender.sol#L269
https://github.com/Cyfrin/2023-07-beedle/blob/658e046bda8b010a5b82d2d85e824f3823602d27/src/Lender.sol#L271-L275
https://github.com/Cyfrin/2023-07-beedle/blob/658e046bda8b010a5b82d2d85e824f3823602d27/src/Lender.sol#L317-L321
https://github.com/Cyfrin/2023-07-beedle/blob/658e046bda8b010a5b82d2d85e824f3823602d27/src/Lender.sol#L323-L327
https://github.com/Cyfrin/2023-07-beedle/blob/658e046bda8b010a5b82d2d85e824f3823602d27/src/Lender.sol#L329-L332
https://github.com/Cyfrin/2023-07-beedle/blob/658e046bda8b010a5b82d2d85e824f3823602d27/src/Lender.sol#L403
https://github.com/Cyfrin/2023-07-beedle/blob/658e046bda8b010a5b82d2d85e824f3823602d27/src/Lender.sol#L505
https://github.com/Cyfrin/2023-07-beedle/blob/658e046bda8b010a5b82d2d85e824f3823602d27/src/Lender.sol#L563
https://github.com/Cyfrin/2023-07-beedle/blob/658e046bda8b010a5b82d2d85e824f3823602d27/src/Lender.sol#L565-L568
https://github.com/Cyfrin/2023-07-beedle/blob/658e046bda8b010a5b82d2d85e824f3823602d27/src/Lender.sol#L642-L646
https://github.com/Cyfrin/2023-07-beedle/blob/658e046bda8b010a5b82d2d85e824f3823602d27/src/Lender.sol#L651
https://github.com/Cyfrin/2023-07-beedle/blob/658e046bda8b010a5b82d2d85e824f3823602d27/src/Lender.sol#L653
https://github.com/Cyfrin/2023-07-beedle/blob/658e046bda8b010a5b82d2d85e824f3823602d27/src/Lender.sol#L656
https://github.com/Cyfrin/2023-07-beedle/blob/658e046bda8b010a5b82d2d85e824f3823602d27/src/Lender.sol#L663-L667
https://github.com/Cyfrin/2023-07-beedle/blob/658e046bda8b010a5b82d2d85e824f3823602d27/src/Lender.sol#L670-L673

Support

FAQs

Can't find an answer? Chat with us on Discord, Twitter or Linkedin.