Platform: Code4rena
Start Date: 03/02/2022
Pot Size: $75,000 USDC
Total HM: 42
Participants: 52
Period: 7 days
Judge: GalloDaSballo
Total Solo HM: 21
Id: 83
League: ETH
Rank: 44/52
Findings: 1
Award: $125.49
🌟 Selected for report: 0
🚀 Solo Findings: 0
🌟 Selected for report: hickuphh3
Also found by: 0x1f8b, 0xw4rd3n, BouSalman, CertoraInc, Czar102, Dravee, IllIllI, Randyyy, Rhynorater, Ruhum, ShadowyNoobDev, Sleepy, SolidityScan, WatchPug, bitbopper, cccz, cryptphi, csanuragjain, defsec, gzeon, harleythedog, hubble, hyh, kenta, kirk-baird, leastwood, mtz, pauliax, peritoflores, rfa, robee, samruna, throttle, wuwe1, ye0lde
125.4893 USDC - $125.49
https://github.com/code-423n4/2022-02-concur/blob/main/contracts/ConvexStakingWrapper.sol#L179 https://github.com/code-423n4/2022-02-concur/blob/main/contracts/ConvexStakingWrapper.sol#L182
ERC20 implementations are not always consistent. Some implementations of transfer and transferFrom could return ‘false’ on failure instead of reverting. It is safer to wrap such calls into require() statements or use safe wrapper functions implementing return value/data checks to handle these failures.
It is observed safeTransfer() is being used in the withdraw function, this should be replicated in the _calcRewardIntegral function
Unsafe transfer calls were found in the following locations:
https://github.com/code-423n4/2022-02-concur/blob/main/contracts/ConvexStakingWrapper.sol#L179
https://github.com/code-423n4/2022-02-concur/blob/main/contracts/ConvexStakingWrapper.sol#L182
Check the return value and revert on 0/false or use safeTransfer OpenZeppelin’s SafeERC20 wrapper functions.
#0 - GalloDaSballo
2022-04-20T16:08:26Z
#1 - JeeberC4
2022-04-21T01:51:56Z
Adding to QA Report #81
#2 - GalloDaSballo
2022-04-21T17:08:38Z
Finding is valid
#3 - GalloDaSballo
2022-04-27T14:56:40Z
1
#4 - JeeberC4
2022-04-28T20:27:53Z
Generating as QA Report as warden's actual QA Report was invalidated by judge. Preserving original title: Unhandled return value of transfer in ConvexStakingWrapper