Beanstalk Part 1

Beanstalk

DeFiHardhatOracleProxyUpdates

100,000 USDC

View results

Previous Next

Submission Details

Severity: low

Invalid

`SeasonFacet` has payable functions without having a withdraw method

inallhonesty

Summary

Both sunrise and gm functions from SeasonFacet contract are flagged as payable, but without a withdraw functions there's a chance that funds might get stuck inside.

Vulnerability Details

These functions are flagged as payable because they might be used in a pipeline call where ETH is involved (for example, a transaction that calls sunrise -> sells bean to ETH -> transfers to another user). But any misconfiguration or partial swap inside the pipeline will result in dust/significant amounts stuck in the contract.

Impact

Likelihood is low because the conditions necessary for this to happen are not that common.

Impact is medium-low because the amounts won't necessarily be big.

Overall low severity.

Tools Used

Manual review

Recommendations

Implement a withdraw function that can save any ETH stuck inside the contract.

Updates

Lead Judging Commences

giovannidisiena Lead Judge over 1 year ago

Submission Judgement Published

Invalidated

Reason: Known issue

Assigned finding tags:

Stuck funds

Prize pool breakdown

Total prize

100,000 USDC

nSLOC

5,776

17 USDC / LOC

High Medium

95,000 USDC

Low

5,000 USDC

Live

The contest is live. Earn rewards by submitting a finding.

Judging

Submissions are being carefully reviewed by our judges.

View all submissions

Appeals

This is your time to appeal against judgements on your submissions.

Appeals Review

Appeals are being carefully reviewed by our judges.

Rewards Distribution

The contest is complete and the rewards are being distributed.

View results

Support

FAQs

Can't find an answer? Chat with us on Discord, Twitter or Linkedin.