The SeasonGettersFacet contract in the provided codebase exposes a high-risk vulnerability due to the uninitialized state variable s. This variable is never initialized within the contract, yet it is utilized extensively across various functions, potentially leading to unexpected behavior or vulnerabilities in the system.
The s state variable in the SeasonGettersFacet contract is utilized in numerous functions without being initialized anywhere within the contract. This lack of initialization poses a significant risk as it may lead to inconsistencies or errors when accessing data stored in this variable.
Slither output with location in the SeasonGettersFacet.sol where the variable 's' is used:
- SeasonGettersFacet.season() (contracts/beanstalk/sun/SeasonFacet/SeasonGettersFacet.sol#35-37)
- SeasonGettersFacet.paused() (contracts/beanstalk/sun/SeasonFacet/SeasonGettersFacet.sol#42-44)
- SeasonGettersFacet.time() (contracts/beanstalk/sun/SeasonFacet/SeasonGettersFacet.sol#49-51)
- SeasonGettersFacet.abovePeg() (contracts/beanstalk/sun/SeasonFacet/SeasonGettersFacet.sol#56-58)
- SeasonGettersFacet.sunriseBlock() (contracts/beanstalk/sun/SeasonFacet/SeasonGettersFacet.sol#63-65)
- SeasonGettersFacet.weather() (contracts/beanstalk/sun/SeasonFacet/SeasonGettersFacet.sol#70-72)
- SeasonGettersFacet.rain() (contracts/beanstalk/sun/SeasonFacet/SeasonGettersFacet.sol#77-79)
- SeasonGettersFacet.plentyPerRoot(uint32) (contracts/beanstalk/sun/SeasonFacet/SeasonGettersFacet.sol#84-86)
- SeasonGettersFacet.wellOracleSnapshot(address) (contracts/beanstalk/sun/SeasonFacet/SeasonGettersFacet.sol#112-114)
- SeasonGettersFacet.getSeedGauge() (contracts/beanstalk/sun/SeasonFacet/SeasonGettersFacet.sol#137-139)
- SeasonGettersFacet.getAverageGrownStalkPerBdvPerSeason() (contracts/beanstalk/sun/SeasonFacet/SeasonGettersFacet.sol#146-148)
- SeasonGettersFacet.getBeanToMaxLpGpPerBdvRatio() (contracts/beanstalk/sun/SeasonFacet/SeasonGettersFacet.sol#154-156)
- SeasonGettersFacet.getBeanToMaxLpGpPerBdvRatioScaled() (contracts/beanstalk/sun/SeasonFacet/SeasonGettersFacet.sol#162-164)
- SeasonGettersFacet.getGaugePointsPerBdvForWell(address) (contracts/beanstalk/sun/SeasonFacet/SeasonGettersFacet.sol#182-190)
- SeasonGettersFacet.getGrownStalkIssuedPerSeason() (contracts/beanstalk/sun/SeasonFacet/SeasonGettersFacet.sol#210-219)
- SeasonGettersFacet.getGrownStalkIssuedPerGp() (contracts/beanstalk/sun/SeasonFacet/SeasonGettersFacet.sol#224-238)
- SeasonGettersFacet.getPodRate() (contracts/beanstalk/sun/SeasonFacet/SeasonGettersFacet.sol#243-246)
- SeasonGettersFacet.getDeltaPodDemand() (contracts/beanstalk/sun/SeasonFacet/SeasonGettersFacet.sol#260-264)
- SeasonGettersFacet.getWeightedTwaLiquidityForWell(address) (contracts/beanstalk/sun/SeasonFacet/SeasonGettersFacet.sol#281-285)
- SeasonGettersFacet.getGaugePoints(address) (contracts/beanstalk/sun/SeasonFacet/SeasonGettersFacet.sol#312-314)
- SeasonGettersFacet.getSopWell() (contracts/beanstalk/sun/SeasonFacet/SeasonGettersFacet.sol#322-324)
The impact of this vulnerability is severe as it can result in undefined behavior or errors when accessing data stored in the uninitialized s state variable. Depending on the specific context and usage of s within the contract functions, this vulnerability may lead to unexpected outcomes, potential security breaches, or system malfunctions.
Manual review and slither.
To mitigate this vulnerability, it is crucial to initialize all state variables properly before accessing or utilizing them within the contract functions. Consider reviewing the contract's initialization logic and ensuring that all state variables are initialized to appropriate values or references before being accessed or utilized within the contract functions.
The contest is live. Earn rewards by submitting a finding.
This is your time to appeal against judgements on your submissions.
Appeals are being carefully reviewed by our judges.