Submission Details
Severity:
[M] Use of non-safe ERC20 transfer operations
Summary
In LibWellConvert is the transfer of converted Beans to the well address.
However, It is good to add a require() statement that checks the return value of token transfers or
to use something like OpenZeppelin’s safeTransfer/safeTransferFrom unless one is sure the given token
reverts in case of a failure.
Vulnerability Details
function _wellAddLiquidityTowardsPeg(uint256 beans, uint256 minLP, address well)
internal returns (uint256 lp, uint256 beansConverted) {
(uint256 maxBeans, ) = _beansToPeg(well);
require(maxBeans > 0, "Convert: P must be >= 1.");
beansConverted = beans > maxBeans ? maxBeans : beans;
C.bean().transfer(well, beansConverted);//@audit safeTransfer not used?
lp = IWell(well).sync(address(this),minLP);
}
Impact
Failure to implement safeTransfer operations will cause silent failures of transfers and affect token accounting in contract.
Tools Used
Manual Review
Recommendations
Use OpenZeppelin’s safeTransfer functions to ensure that token transfers are executed safely.
Updates
Lead Judging Commences
giovannidisiena about 1 year ago
Submission Judgement Published Reason: Non-acceptable severity
Assigned finding tags:
Informational/Invalid
Prize pool breakdown
Total prize
100,000 USDC
nSLOC
5,77617 USDC / LOC
95,000 USDC
5,000 USDC
Live
The contest is live. Earn rewards by submitting a finding.
Appeals
This is your time to appeal against judgements on your submissions.
Appeals Review
Appeals are being carefully reviewed by our judges.