Omniscia Beanstalk Audit

FundraiserFacet Static Analysis Findings

FundraiserFacet Static Analysis Findings

FFE-01S: Improper Invocation of EIP-20 transfer / transferFrom

Description:

The linked statements do not properly validate the returned bool of the EIP-20 standard transfer function. As the standard dictates, callers must not assume that false is never returned.

Example:

protocol/contracts/farm/facets/FundraiserFacet.sol
40function completeFundraiser(uint32 id) internal {
41 IERC20(s.fundraisers[id].token).transfer(s.fundraisers[id].payee, s.fundraisers[id].total);
42 emit CompleteFundraiser(id);
43}

Recommendation:

Since not all standardized tokens are EIP-20 compliant (such as Tether / USDT), we advise a safe wrapper library to be utilized instead such as SafeERC20 by OpenZeppelin to opportunistically validate the returned bool only if it exists.

Alleviation:

The safeTransfer function of the SafeERC20 library is now correctly invoked.