📄

Report #12351

Report Date
October 12, 2022

Inconsistency of usage 'Safetransferfrom' on Fertilizer1155.sol can causing failures to deliver returns and transfer

Report Info

Report ID

#12351

Target

Report type

Smart Contract

Impacts

Contract fails to deliver promised returns, but doesn't lose value

Has PoC?

Yes

Bug Description

It is good to add a require () statement that checks the return value of token tranfers or to use something like OpenZepelin's 'safeTransfer'/'safeTransferfrom' unless on is sure the given token reverts in case of a failure.

Impact

Failure to do so will cause silent failures of transfer and contract fails to deliver promised returns, but doesn't lose value

Recommendation

Consider using 'safeTransfer'/ 'safeTransferfrom' or require() consistently.

References

This similiar medium severity finding from Consensys Diligence Audit of Fei Protocol

Proof Of Concept

Navigate to the following contract

'safeBatchTransferFrom' functions are used instead of 'safetransferfrom' on the following contract.

Immunefi Response

Hi, Immunefi has reviewed this vulnerability report and decided to close since being out of scope for Beanstalk bug bounty program.
  • claimed impact by the whitehat is in scope for the bug bounty program
  • claimed asset by the whitehat is in scope for the bug bounty program
  • claimed severity is not in scope for the bug bounty program

Since this bug bounty program does not require Immunefi's triaging, note that Immunefi does not:

  • check if whitehat's claims are factually correct
  • check PoC to understand the validity
  • assess the submission's severity

These activities are the project's responsibility.

The project will now be automatically subscribed and receive a report of the closed submission and can evaluate if they are interested in re-opening it. However, note that they are not under any obligation to do so.