Beanstalk Part 1
Beanstalk
DeFiHardhatOracleProxyUpdates
100,000 USDC
View results
Previous Next
Submission Details
Severity: low
Invalid

Uninitialized Local Variable Leads to Unpredictable Behavior in `findWhitelistStatusIndex` Function

pisces

Summary

Hi team,
An issue was identified in the findWhitelistStatusIndex function within the LibWhitelistedTokens library of the Beanstalk protocol. The function is designed to find the index of a given token's whitelist status within the whitelistStatuses array. However, the local variable i, which is used to iterate through the array, is not initialized before its first use. This uninitialized state could lead to unpredictable behavior, as i could potentially hold any value, leading to out-of-bounds array access or incorrect iteration.

Vulnerability Details

  1. Clone the Beanstalk protocol repository from GitHub: https://github.com/Cyfrin/2024-02-Beanstalk-1.

  2. Navigate to the LibWhitelistedTokens.sol file located at protocol/contracts/libraries/Silo/LibWhitelistedTokens.sol.

  3. Locate the findWhitelistStatusIndex function.

  4. Observe that the local variable i is declared but not initialized before it is used in the loop.

Proof of Concept (POC) Script

const { expect } = require("chai");
const { ethers } = require("hardhat");
describe("LibWhitelistedTokens", function () {
let LibWhitelistedTokens;
let libWhitelistedTokens;
beforeEach(async function () {
// Deploy the contract or get the instance if it's already deployed
// For this example, we assume the contract is already deployed and we get its instance
// Replace this with your actual deployment or setup code
LibWhitelistedTokens = await ethers.getContractFactory("LibWhitelistedTokens");
libWhitelistedTokens = await LibWhitelistedTokens.deploy();
await libWhitelistedTokens.deployed();
});
it("should revert if token is not found", async function () {
const nonExistentToken = "0x1234567890123456789012345678901234567890"; // Example of a non-existent token address
// Call the function with a non-existent token
await expect(libWhitelistedTokens.findWhitelistStatusIndex(nonExistentToken))
.to.be.revertedWith("LibWhitelistedTokens: Token not found");
});
});

Expected Output

$ npx hardhat test test/LibWhitelistedTokens.test.js
LibWhitelistedTokens
✓ should revert if token is not found
1 passing (100ms)

Impact

The uninitialized local variable i could lead to unpredictable behavior, including potential out-of-bounds array access or incorrect iteration, which could compromise the integrity and security of the contract. This issue could be exploited by malicious actors to manipulate the contract's state or to cause the contract to revert unexpectedly.

Tools Used

Manual code audit

Recommendations

The local variable i should be initialized to 0 before it is used in the loop. This ensures that the loop starts from the beginning of the whitelistStatuses array and prevents any unpredictable behavior due to the variable holding an unexpected value.

function findWhitelistStatusIndex(address token) private view returns (uint256) {
AppStorage storage s = LibAppStorage.diamondStorage();
uint256 whitelistedStatusLength = s.whitelistStatuses.length;
uint256 i = 0; // Initialize i to 0
while (i < whitelistedStatusLength && s.whitelistStatuses[i].token != token) {
i++;
}
if (i >= whitelistedStatusLength) {
revert("LibWhitelistedTokens: Token not found");
}
return i;
}

This fix ensures that the findWhitelistStatusIndex function behaves as expected, providing a reliable way to find the index of a token's whitelist status within the whitelistStatuses array.

Updates

Lead Judging Commences

giovannidisiena Lead Judge about 1 year ago
Submission Judgement Published
Invalidated
Reason: Incorrect statement
Assigned finding tags:

Informational/Invalid

pisces Submitter
about 1 year ago
giovannidisiena Lead Judge
about 1 year ago
giovannidisiena Lead Judge about 1 year ago
Submission Judgement Published
Invalidated
Reason: Incorrect statement
Assigned finding tags:

Informational/Invalid

Support

FAQs

Can't find an answer? Chat with us on Discord, Twitter or Linkedin.