Omniscia Beanstalk Audit
FundraiserFacet Manual Review Findings
FundraiserFacet Manual Review Findings
FFE-01M: Substantial Supply Increase
| Type | Severity | Location |
|---|---|---|
| Logical Fault |  | FundraiserFacet.sol:L53 |
Description:
The createFundraiser function represents a permission less (should the vote have been accepted) execution of a large mint operation which affects multiple mathematical aspects of the protocol.
Example:
45function createFundraiser(address payee, address token, uint256 amount) public {46 require(msg.sender == address(this), "Fundraiser: sender must be Beanstalk.");47 uint32 id = s.fundraiserIndex;48 s.fundraisers[id].token = token;49 s.fundraisers[id].remaining = amount;50 s.fundraisers[id].total = amount;51 s.fundraisers[id].payee = payee;52 s.fundraiserIndex = id + 1;53 bean().mint(address(this), amount);54 emit CreateFundraiser(id, payee, token, amount);55}Recommendation:
We advise it to only be executable non-reentrantly to avoid unexpected behaviour in the overall operation of the Beanstalk system.
Alleviation:
The fundraiser now contains a start variable that is utilized to prevent a fund raiser from initiating and ending in the same block thereby alleviating this exhibit.
FFE-02M: Improper Handling of Overfunding
| Type | Severity | Location |
|---|---|---|
| Logical Fault |  | FundraiserFacet.sol:L32 |
Description:
The _fund function will fatally fail in case the specified funding exceeds the amount that is remaining for a particular endeavour. This behaviour is non-standard as a condition can arise whereby multiple people want to participate on the same fundraiser and would thus over fund it.
Example:
29function _fund(uint32 id, uint256 amount) internal {30 uint256 remaining = s.fundraisers[id].remaining;31 require(remaining > 0, "Fundraiser: already completed.");32 require(remaining >= amount, "Fundraiser: amount exceeds remaining.");33 IERC20(s.fundraisers[id].token).transferFrom(msg.sender, address(this), amount);34 s.fundraisers[id].remaining = remaining.sub(amount);35 emit FundFundraiser(msg.sender, id, amount);36 37 if (s.fundraisers[id].remaining == 0) completeFundraiser(id);38}Recommendation:
We advise graceful handling to be introduced instead whereby if the amount exceeds the value of remaining, it is assigned to it directly to complete the fundraiser.
Alleviation:
The code was updated to gracefully handle over-funding and consume all remaining amount instead.