DeFiHardhatOracleProxyUpdates
100,000 USDC
View results
Submission Details
Severity: low
Invalid

[L-3] Unsafe ERC20 Operations should not be used

Summary

ERC20 functions may not behave as expected. For example: return values are not always meaningful.

Recommendation

It is recommended to use OpenZeppelin's SafeERC20 library.

Vulnerability details

  • Found in contracts/beanstalk/farm/TokenFacet.sol Line: 109

    LibTokenApprove.approve(msg.sender, spender, token, amount);
  • Found in contracts/beanstalk/farm/TokenFacet.sol Line: 120

    LibTokenApprove.approve(
  • Found in contracts/beanstalk/farm/TokenFacet.sol Line: 147

    LibTokenApprove.approve(
  • Found in contracts/beanstalk/farm/TokenFacet.sol Line: 183

    LibTokenApprove.approve(owner, spender, IERC20(token), value);
  • Found in contracts/beanstalk/init/InitDiamond.sol Line: 41

    C.bean().approve(C.CURVE_BEAN_METAPOOL, type(uint256).max);
  • Found in contracts/beanstalk/init/InitDiamond.sol Line: 42

    C.bean().approve(C.curveZapAddress(), type(uint256).max);
  • Found in contracts/beanstalk/init/InitDiamond.sol Line: 43

    C.usdc().approve(C.curveZapAddress(), type(uint256).max);
  • Found in contracts/beanstalk/init/replant/Replant8.sol Line: 83

    bean.approve(C.CURVE_BEAN_METAPOOL, type(uint256).max);
  • Found in contracts/beanstalk/init/replant/Replant8.sol Line: 84

    bean.approve(C.curveZapAddress(), type(uint256).max);
  • Found in contracts/beanstalk/init/replant/Replant8.sol Line: 85

    C.usdc().approve(C.curveZapAddress(), type(uint256).max);
  • Found in contracts/beanstalk/init/replant/Replant8.sol Line: 86

    C.usdc().transferFrom(msg.sender, address(this), INITIAL_LP);
  • Found in contracts/beanstalk/init/replant/Replant8.sol Line: 94

    IERC20(metapool).transfer(msg.sender, newLP);
  • Found in contracts/beanstalk/sun/SeasonFacet/Weather.sol Line: 202

    C.bean().approve(sopWell, sopBeans);
  • Found in contracts/libraries/Convert/LibWellConvert.sol Line: 202

    C.bean().transfer(well, beansConverted);
  • Found in contracts/mocks/MockInitDiamond.sol Line: 29

    C.bean().approve(C.CURVE_BEAN_METAPOOL, type(uint256).max);
  • Found in contracts/mocks/MockInitDiamond.sol Line: 30

    C.bean().approve(C.curveZapAddress(), type(uint256).max);
  • Found in contracts/mocks/MockInitDiamond.sol Line: 31

    C.usdc().approve(C.curveZapAddress(), type(uint256).max);
  • Found in contracts/mocks/curve/MockCurveZap.sol Line: 22

    IERC20(BEAN).approve(BEAN_METAPOOL, type(uint256).max);
  • Found in contracts/mocks/curve/MockCurveZap.sol Line: 23

    IERC20(THREE_CURVE).approve(BEAN_METAPOOL, type(uint256).max);
  • Found in contracts/mocks/curve/MockCurveZap.sol Line: 27

    IERC20(BEAN).transferFrom(msg.sender, address(this), depAmounts[0]);
  • Found in contracts/mocks/curve/MockCurveZap.sol Line: 28

    IERC20(USDC).transferFrom(msg.sender, THREE_POOL, depAmounts[2]);
  • Found in contracts/mocks/curve/MockMeta3Curve.sol Line: 208

    ERC20(coins[i]).transferFrom(msg.sender, address(this), dx);
  • Found in contracts/mocks/curve/MockMeta3Curve.sol Line: 209

    ERC20(coins[j]).transfer(_receiver, dy);
  • Found in contracts/mocks/curve/MockMeta3Curve.sol Line: 265

    IBean(coins[i]).transferFrom(msg.sender, address(this), amount);
  • Found in contracts/mocks/curve/MockMeta3Curve.sol Line: 295

    ERC20(coins[i]).transfer(_receiver, value);
  • Found in contracts/mocks/curve/MockMeta3Curve.sol Line: 356

    ERC20(coins[i]).transfer(_receiver, amount);
  • Found in contracts/mocks/curve/MockMeta3Curve.sol Line: 390

    IBean(coins[i]).transfer(_receiver, dy);
  • Found in contracts/mocks/curve/MockPlainCurve.sol Line: 185

    IBean(coins[i]).transferFrom(msg.sender, address(this), amount);
  • Found in contracts/mocks/curve/MockPlainCurve.sol Line: 214

    IBean(coins[i]).transfer(msg.sender, dy);
  • Found in contracts/mocks/mockFacets/MockFertilizerFacet.sol Line: 24

    IERC20(C.WETH).transferFrom(
  • Found in contracts/tokens/Fertilizer/FertilizerPreMint.sol Line: 38

    IERC20(WETH).approve(SWAP_ROUTER, type(uint256).max);
  • Found in contracts/tokens/Fertilizer/FertilizerPreMint.sol Line: 46

    IUSDC.transferFrom(msg.sender, CUSTODIAN, amount);
Updates

Lead Judging Commences

giovannidisiena Lead Judge about 1 year ago
Submission Judgement Published
Invalidated
Reason: Non-acceptable severity
Assigned finding tags:

Informational/Invalid

Support

FAQs

Can't find an answer? Chat with us on Discord, Twitter or Linkedin.