Submission Details
Severity:
No max amount limit on Tokens in `deposit`
Summary
If someone deposits large amount of tokens in order to manipulate BeansStalk protocol and gain majority of voting power in DAO
Vulnerability Details
See the below code:
function deposit(address token, uint256 _amount, LibTransfer.From mode)
external
payable
nonReentrant
mowSender(token)
returns (uint256 amount, uint256 _bdv, int96 stem)
{
amount = LibTransfer.receiveToken(IERC20(token), _amount, msg.sender, mode);
(_bdv, stem) = _deposit(msg.sender, token, amount);
}
Impact
If someone gets more than 50% of the total BeanStalk tokens, they can easily manipulate its bean price, supply, soil supply, and even temperature. Also, they can manipulate DAO decisions too.
Tools Used
Manual Review
Recommendations
There should be a max amount limit on tokens in order avoid this manipulation
Updates
Lead Judging Commences
giovannidisiena over 1 year ago
Submission Judgement Published Reason: Lack of quality
Assigned finding tags:
Informational/Invalid
0xbeastboy
over 1 year ago
giovannidisiena
over 1 year ago
giovannidisiena over 1 year ago
Submission Judgement Published Reason: Lack of quality
Assigned finding tags:
Informational/Invalid
Prize pool breakdown
Total prize
100,000 USDC
nSLOC
5,77617 USDC / LOC
95,000 USDC
5,000 USDC
Live
The contest is live. Earn rewards by submitting a finding.
Appeals
This is your time to appeal against judgements on your submissions.
Appeals Review
Appeals are being carefully reviewed by our judges.