Low & QA Report
VULN 1
[LOW] Use .call instead of .transfer to send ether
Proof of concept
Found in line 159 at 2023-07-beedle/src/Lender.sol:
IERC20(p.loanToken).transfer(
Found in line 203 at 2023-07-beedle/src/Lender.sol:
IERC20(pools[poolId].loanToken).transfer(msg.sender, amount);
Found in line 267 at 2023-07-beedle/src/Lender.sol:
IERC20(loan.loanToken).transfer(feeReceiver, fees);
Found in line 269 at 2023-07-beedle/src/Lender.sol:
IERC20(loan.loanToken).transfer(msg.sender, debt - fees);
Found in line 329 at 2023-07-beedle/src/Lender.sol:
IERC20(loan.collateralToken).transfer(
Found in line 403 at 2023-07-beedle/src/Lender.sol:
IERC20(loan.loanToken).transfer(feeReceiver, protocolInterest);
Found in line 505 at 2023-07-beedle/src/Lender.sol:
IERC20(loan.loanToken).transfer(feeReceiver, protocolInterest);
Found in line 563 at 2023-07-beedle/src/Lender.sol:
IERC20(loan.collateralToken).transfer(feeReceiver, govFee);
Found in line 565 at 2023-07-beedle/src/Lender.sol:
IERC20(loan.collateralToken).transfer(
Found in line 651 at 2023-07-beedle/src/Lender.sol:
IERC20(loan.loanToken).transfer(feeReceiver, fee);
Found in line 653 at 2023-07-beedle/src/Lender.sol:
IERC20(loan.loanToken).transfer(msg.sender, debt - debtToPay - fee);
Found in line 656 at 2023-07-beedle/src/Lender.sol:
IERC20(loan.loanToken).transfer(feeReceiver, protocolInterest);
Found in line 670 at 2023-07-beedle/src/Lender.sol:
IERC20(loan.collateralToken).transfer(
Found in line 49 at 2023-07-beedle/src/Staking.sol:
TKN.transfer(msg.sender, _amount);
Found in line 55 at 2023-07-beedle/src/Staking.sol:
WETH.transfer(msg.sender, claimable[msg.sender]);
Found in line 43 at 2023-07-beedle/src/Fees.sol:
IERC20(WETH).transfer(staking, IERC20(WETH).balanceOf(address(this)));
Mitigation
.transfer will relay 2300 gas and .call will relay all the gas. If the receive/fallback function from the recipient proxy contract has complex logic, using .transfer will fail, causing integration issues.Replace .transfer with .call. Note that the result of .call need to be checked.
VULN 2
[LOW] Use the safe variant and ERC721.mint
Proof of concept
Found in line 12 at 2023-07-beedle/src/Beedle.sol:
_mint(msg.sender, 1_000_000_000 * 1e18);
Found in line 22 at 2023-07-beedle/src/Beedle.sol:
function _mint(address to, uint256 amount)
Found in line 26 at 2023-07-beedle/src/Beedle.sol:
super._mint(to, amount);
Found in line 37 at 2023-07-beedle/src/Beedle.sol:
_mint(to, amount);
Mitigation
.mint won’t check if the recipient is able to receive the NFT. If an incorrect address is passed, it will result in a silent failure and loss of asset. OpenZeppelin recommendation is to use the safe variant of _mint. Replace _mint() with _safeMint().
VULN 3
[LOW] Hardcode the address causes no future updates
Proof of concept
Found in line 17 at 2023-07-beedle/src/Fees.sol:
ISwapRouter(0xE592427A0AEce92De3Edee1F18E0157C05861564);
Mitigation
Router etc. In case the addresses change due to reasons such as updating their versions in the future, addresses coded as constants cannot be updated, so it is recommended to add the update option with the onlyOwner modifier.
VULN 4
[LOW] Use safeTransferOwnership instead of transferOwnership function
Proof of concept
Found in line 19 at 2023-07-beedle/src/utils/Ownable.sol:
function transferOwnership(address _owner) public virtual onlyOwner {
Mitigation
Use a 2 structure transferOwnership which is safer. safeTransferOwnership, use it is more secure due to 2-stage ownership transfer. https://github.com/OpenZeppelin/openzeppelin-contracts/blob/master/contracts/access/Ownable2Step.sol
VULN 5
[LOW] Immutables should be in uppercase
Proof of concept
Found in line 27 at 2023-07-beedle/src/Staking.sol:
IERC20 public immutable TKN;
Found in line 29 at 2023-07-beedle/src/Staking.sol:
IERC20 public immutable WETH;
Found in line 12 at 2023-07-beedle/src/Fees.sol:
address public immutable WETH;
Found in line 13 at 2023-07-beedle/src/Fees.sol:
address public immutable staking;
Mitigation
Immutables should be in uppercase, it helps to distinguish immutables from other types of variables and provides better code readability.
Prize pool breakdown
Live
The contest is live. Earn rewards by submitting a finding.
Appeals
This is your time to appeal against judgements on your submissions.
Appeals Review
Appeals are being carefully reviewed by our judges.