Beanstalk Part 1

Summary

In InitWhitelist smart contract, the constants for seeds rewards per BDV for various assets are not aligned with the official documentation provided (docs ref. https://docs.bean.money/almanac/farm/silo). The constants BEAN_3CRV_SEEDS and BEAN_SEEDS are set to 4 and 2 respectively, which do not match the documented values of 3.25 for BEAN:3CRV LP and 3 for Bean.

Also in the C smart contract the constants SEEDS_PER_BEAN is set to 2 and it is not aligned with the official documentation provided.

Vulnerability Details

This discrepancy constitutes a vulnerability in the smart contract's logic, where the seeds rewards for participants are not calculated as intended according to the project's documentation. The seeds rewards are crucial for determining the staking rewards within the protocol, and any mismatch directly affects the incentives for users participating in the protocol.

Impact

The impact of this vulnerability is twofold:

• User Trust: users' trust in the protocol could be significantly undermined upon realizing that the rewards received do not match the officially documented figures. This discrepancy could lead to reduced participation in staking / farming activities.

• Protocol Participation: incorrect seeds rewards calculation could lead to an imbalance in the protocol's economy. Users might find it less attractive to stake or farm within the protocol, leading to decreased liquidity and overall participation, which could harm the protocol's long-term viability.

Note: While the InitWhitelist.sol and C.sol are currently considered out of scope, the security researcher deems it crucial to highlight this discrepancy due to its potential impact on the overall project status, including factors such as user satisfaction and adoption (this value is used across all the system).

Tools Used

Manual review

Recommendations

Align the hardcoded constant values in the code and the documentation with the same value.