Summary

Beanstalk uses a forked version of Uniswap V2 Router, highlighted in their removeLiquidityOneToken.

However, there isn't a tx deadline check in the LibWellConvert.removeLiquidityOneToken function.

The transaction expiration check (implemented in Uniswap via the deadline argument) allows users of Uniswap
to protect from selling tokens at an outdated price that's lower than the current price.

Vulnerability Details

The usage of block.timestamp as a deadline means transactions can remain pending without a definitive expiration, subjecting them to potential market volatility. In scenarios of network congestion or intentionally low gas fees, a user's conversion request might not process promptly. During this indeterminate period, the market value of Beans relative to LP tokens could deteriorate, leading to significantly less favorable conversion rates when the
transaction eventually executes.

Impact

This exposes users to delayed transactions from validators, resulting in unfavorable conversion rates.

Tools Used

Manual Review

Recommendations

Protocols implementing Uniswap V2 Router logic should always include a user defined deadline to prevent transactions from being executed at disadvantaged times.

https://github.com/Uniswap/v2-periphery/blob/0335e8f7e1bd1e8d8329fd300aea2ef2f36dd19f/contracts/UniswapV2Router01.sol#L116