Beanstalk Part 1

Summary

The sop function in the Beanstalk protocol contains a vulnerability where the swapFrom call has hardcoded values for minAmountOut (slippage protection) and deadline. The absence of slippage protection and the disabled deadline check makes the protocol susceptible to sandwich attacks, MEV exploits, and potential significant loss of tokens.

Impact

The lack of slippage protection and the disabled deadline check expose users to the risk of receiving 0 output tokens and allow transactions to be executed at unfavorable times. This vulnerability can result in substantial financial losses for users.

PoC:

• When swapFrom is called in here ( https://github.com/Cyfrin/2024-02-Beanstalk-1/blob/main/protocol/contracts/beanstalk/sun/SeasonFacet/Weather.sol#L203-L210 ) the minAmountOut is hardcoded to 0 and the deadline check is set to type(uint256).max, which means the deadline check is disabled!

• When sop() function is called it will try to perform the swap, Then while the transaction is in the mempool, here "minTokensOut" is hard-coded to 0 so the swap can potentially return 0 output tokens, and the deadline parameter is hard-coded to the max value of utint256, so the transaction can be held & executed at a much later & more unfavorable time to the user. This combination of no Slippage & no Deadline exposes the user to the potential loss of all their input tokens!

Recommendation

Allow user to specify slippage parameters minAmountOut and deadline