Platform: Code4rena
Start Date: 22/09/2022
Pot Size: $30,000 USDC
Total HM: 12
Participants: 133
Period: 3 days
Judge: 0xean
Total Solo HM: 2
Id: 165
League: ETH
Rank: 128/133
Findings: 1
Award: $12.49
🌟 Selected for report: 0
🚀 Solo Findings: 0
🌟 Selected for report: Lambda
Also found by: 0x1f8b, 0x5rings, 0xSky, 0xSmartContract, 8olidity, Chom, CodingNameKiki, IllIllI, Ruhum, Sm4rty, brgltd, hansfriese, m9800, magu, pashov, pedroais, peritoflores, prasantgupta52, rokinot, seyni
12.4859 USDC - $12.49
https://github.com/code-423n4/2022-09-frax/blob/main/src/frxETHMinter.sol#L200
Tokens sent to the contract that don't return a boolean when transferred will be stuck in the contract. Here's a list from the Weird-ERC20 repository.
Because the contract explicitly contains logic to recover ERC20 tokens I believe this warrants a MED classification. The function doesn't work properly and can lead to lost funds in rare circumstances.
The issue is that the transfer() call is wrapped in a require() statement: https://github.com/code-423n4/2022-09-frax/blob/main/src/frxETHMinter.sol#L200
If the transfer() doesn't return a bool, the default value, false will be used.
none
Use the SafeERC20 library.
#0 - FortisFortuna
2022-09-25T21:30:31Z
Not really medium risk. Technically you could use safeTransfer, but if someone were to accidentally send something to this contract, it would most likely be either ETH, FRAX, frxETH, or sfrxETH, all of which are transfer compliant.
#1 - joestakey
2022-09-26T14:35:29Z
Duplicate of #18