Beanstalk Part 1
Beanstalk
DeFiHardhatOracleProxyUpdates
100,000 USDC
View results
Previous Next
Submission Details
Severity: low
Invalid

Length mismatch between stems and amounts can be passed to `enrootDeposits`, can lead to run time errors or silent data corruption

0xtheblackpanther

Summary

The EnrootFacet exhibits a potential issue related to a length mismatch between the stems and amounts arrays in the enrootDeposits and removeDepositsFromAccount functions. The absence of a length check may lead to unexpected behavior or runtime errors.

Impact

  1. Runtime Errors: The absence of a length check in the provided code may lead to runtime errors during the execution of the enrootDeposits and removeDepositsFromAccount functions if the lengths of the stems and amounts arrays are not the same.

  2. Unexpected Behavior: In scenarios where the lengths of stems and amounts arrays differ, the contract might not execute the intended logic correctly.

  3. User experience: User will get frustrated if he is not getting a proper error message on revert.

PoC

  • Assume the unripeBean is whitelisted and unripe token

  • Copy the below test and run forge test --match-test testEnrootDeposits -vvvv cmd

function testEnrootDeposits() public {
// Example stems and amounts arrays with the diff length
int96[] memory stems = new int96[](3);
stems[0] = 100;
stems[1] = 200;
stems[2] = 300;
uint256[] memory amounts = new uint256[](1);
amounts[0] = 1000;
enrootFacet.enrootDeposits(address (unripeBean), stems, amounts);
}

Result if amount < steps:

├─ [47808] EnrootFacet::enrootDeposits(UnripeBean: [0xDB8979F5f6e3c44F8312097E3E424543d0156cD8], [100, 200, 300], [1000])
│ └─ ← EvmError: **InvalidFEOpcode**
└─ ← EvmError: Revert

Result if amount > steps:

│ ├─ [102] EnrootFacet::00000000(00000000000000000000000000000000000000000000000000000000000003e8) [staticcall]
│ │ └─ ← ()
│ └─ ← EvmError: Revert
└─ ← EvmError: Revert

Recommendations

Add a quick check at the start of the enrootDeposits function to make sure the lengths of the stems and amounts lists are the same.

// Check if the array lengths match
require(stems.length == amounts.length, "Silo: Length mismatch between stems and amounts");

After investigating further, it turns out this function is also used in _withdrawDeposits, which already has a similar check. So, it makes sense to suggest adding this length check directly to the shared LibSilo library. This way, every time _removeDepositsFromAccount is called, it will automatically handle the check, making the code cleaner and avoiding repetition.

Updates

Lead Judging Commences

giovannidisiena Lead Judge over 1 year ago
Submission Judgement Published
Invalidated
Reason: Design choice
Assigned finding tags:

Array length mismatch

0xtheblackpanther Submitter
over 1 year ago
giovannidisiena Lead Judge
over 1 year ago
giovannidisiena Lead Judge over 1 year ago
Submission Judgement Published
Invalidated
Reason: Design choice
Assigned finding tags:

Array length mismatch

Support

FAQs

Can't find an answer? Chat with us on Discord, Twitter or Linkedin.