Beanstalk Part 1

Beanstalk

DeFiHardhatOracleProxyUpdates

100,000 USDC

View results

Previous Next

Submission Details

Severity: low

Invalid

Conversion conditions are not checked when converting from one token to another, this can lead to a depeg of Bean

joshuajee

Summary

Conversion is one of the mechanisms Beanstalk uses in maintaining the peg. For conversion to be effective in maintaining the peg, Beanstalk set some rules when conversion can be carried out.
For example when converting BEAN:3CRV LP to BEAN, requires a condition that deltaB < 0.

https://docs.bean.money/almanac/peg-maintenance/convert

Vulnerability Details

The root cause of this Vulnerability is that the convert function doesn't check for deltaB before carrying out the conversion. So users can convert their BEAN:3CRV LP to BEAN, even when there is excess BEAN in the market. This will reduce the price of BEAN.
Other Pools are also affected by this vulnerability.

POC

Add the code below to https://github.com/Cyfrin/2024-02-Beanstalk-1/blob/main/protocol/test/ConvertCurve.test.js#L706

Run the code with the following command

yarn hardhat test --grep "POC-Convert"

On the test we can see that, the total deltaB before and after the conversion was 0, which violates the rule that deltaB < 0, for the conversion to work. But the conversion was done successfully.

it('POC-convert', async function () {

await this.silo.addWhitelistSelector(

this.beanMetapool.address,

this.bdv.interface.getSighash('curveToBDV')

);

await this.season.teleportSunrise(10);

await this.beanMetapool.connect(user).add_liquidity([toBean('200'), to18('0')], to18('150'));

await this.silo.connect(user).deposit(this.beanMetapool.address, to18('1000'), EXTERNAL);

this.stem = await this.siloGetters.seasonToStem(this.beanMetapool.address, await this.seasonGetters.season());

// call sunrise twice to finish germination.

await this.season.siloSunrise(0);

await this.season.mockEndTotalGerminationForToken(this.beanMetapool.address);

//DeltaB

console.log("Total deltaB accross pool", await this.seasonGetters.totalDeltaB())

this.result = await this.convert.connect(user).convert(

ConvertEncoder.convertCurveLPToBeans(

to18('100'),

toBean('99'),

this.beanMetapool.address

[this.stem],

[to18('100')]

)

console.log("Total deltaB accross pool After Conversion", await this.seasonGetters.totalDeltaB())

})

Impact

Loss of Peg due to excess bean

Tools Used

Manual Analysis

Recommendations

Add checks in LibCovert.sol::convert to ensure that the conversion conditions are met before carrying out the conversion. For example deltaB < 0, before converting from BEAN:3CRV LP to BEAN.

Updates

Lead Judging Commences

giovannidisiena Lead Judge about 1 year ago

Submission Judgement Published

Invalidated

Reason: Incorrect statement

Assigned finding tags:

Informational/Invalid

Prize pool breakdown

Total prize

100,000 USDC

nSLOC

5,776

17 USDC / LOC

High Medium

95,000 USDC

Low

5,000 USDC

Live

The contest is live. Earn rewards by submitting a finding.

Judging

Submissions are being carefully reviewed by our judges.

View all submissions

Appeals

This is your time to appeal against judgements on your submissions.

Appeals Review

Appeals are being carefully reviewed by our judges.

Rewards Distribution

The contest is complete and the rewards are being distributed.

View results

Support

FAQs

Can't find an answer? Chat with us on Discord, Twitter or Linkedin.