Potential Reentrancy Risk TokenFacet.sol: function transferToken()
BIC Response
After significant investigation we have found the following:
The Grim exploit is different in that regardless of what token
address is input, the same state variables are accessed. Thus, by using a custom contract with a transferFrom
function that reenters the same function, they are able to rerun the logic that gets run when the actual token is input. Thus, they can reenter as many times as they want, send the desired tokens to the contract and then perform the mint operation.
transferToken
only accesses token state specific info, so there is no way to use a custom contract to perform a reentrancy attack on state corresponding to real ERC-20 tokens.
There is an ability to reenter transferToken
if an ERC-777 token is used, but given that balance state variables are decremented before tokens are received and balance state variables are
incremented before tokens are sent out, it does not seem to be possible to perform manipulation.
Thus, the POC does not work in the case of Beanstalk.
Thank you for you thorough report, but for the above reasons, we are closing the submission and no reward will be issued.