Beanstalk Part 1
Beanstalk
DeFiHardhatOracleProxyUpdates
100,000 USDC
View results
Previous Next
Submission Details
Severity: low
Invalid

It is not possible to Remove a whitelist status for a token

holydevoti0n

Vulnerability Details

According to the docs, "Once a token has no more Deposits in the Silo, it's WhitelistStatus should be removed through calling removeWhitelistStatus."

The issue is that the removeWhitelistStatus is not added to any facet and it will require further contract deployment using the Init pattern in order to remove a token whitelist status.

// @audit no caller for this function
function removeWhitelistStatus(address token) internal {
AppStorage storage s = LibAppStorage.diamondStorage();
uint256 tokenStatusIndex = findWhitelistStatusIndex(token);
s.whitelistStatuses[tokenStatusIndex] = s.whitelistStatuses[s.whitelistStatuses.length - 1];
s.whitelistStatuses.pop();
emit RemoveWhitelistStatus(token, tokenStatusIndex);
}

Note that addWhitelistStatus for instance is used inside the WhitelistFacet -> LibWhitelist to add new whitelisted token status.

LibWhitelist:

function whitelistToken(
address token,
bytes4 selector,
uint16 stalkIssuedPerBdv,
uint32 stalkEarnedPerSeason,
bytes4 gaugePointSelector,
bytes4 liquidityWeightSelector,
uint128 gaugePoints,
uint64 optimalPercentDepositedBdv
) external payable {
LibDiamond.enforceIsOwnerOrContract();
LibWhitelist.whitelistToken(
token,
selector,
stalkIssuedPerBdv,
stalkEarnedPerSeason,
0x00,
gaugePointSelector,
liquidityWeightSelector,
gaugePoints,
optimalPercentDepositedBdv
);
}

Tools Used

Manual Review

Recommendations

Consider exposing the removeWhitelistStatus to the whitelist facet just like the addWhitelistStatus function is.

Updates

Lead Judging Commences

giovannidisiena Lead Judge about 1 year ago
Submission Judgement Published
Invalidated
Reason: Non-acceptable severity
Assigned finding tags:

Informational/Invalid

Support

FAQs

Can't find an answer? Chat with us on Discord, Twitter or Linkedin.