Beanstalk Part 1

Beanstalk

DeFiHardhatOracleProxyUpdates

100,000 USDC

View results

Previous Next

Submission Details

Severity: low

Invalid

Missing Return Value Check in LibWellConvert Leads to Potential Token Loss

pisces

Summary

Hello team,
While reviewing the source code of the LibWellConvert contract in the Beanstalk protocol, I discovered a potential security issue related to the transfer function call. The code does not adequately handle the return value of the transfer function, which could lead to token loss under certain conditions.

Vulnerability Details

Navigate to the LibWellConvert contract on GitHub at: LibWellConvert.sol
Identify the section of code responsible for the C.bean().transfer(well, beansConverted) function call.
Note that the return value of the transfer function is not checked.
Deploy the contract and execute the function corresponding to the vulnerable code path.
Observe that the transaction does not revert even if the transfer function fails.

Proof of Concept (POC) Script:

// LibWellConvert.sol

function vulnerableFunction(uint256 beansConverted, address well) external {

// Vulnerable code

C.bean().transfer(well, beansConverted);

}

// Test script

// Test script using Hardhat

describe("Attack Test", function () {

it("Should fail due to ignored return value of transfer function", async function () {

const LibWellConvert = await ethers.getContractFactory("LibWellConvert");

const libWellConvert = await LibWellConvert.deploy();

await hre.network.provider.request({

method: "hardhat_setTransactionBlockGasLimit",

params: [1000], // Set a low gas limit to simulate failure

});

try {

await libWellConvert.vulnerableFunction(1000, recipientAddress);

} catch (error) {

expect(error.message).to.contain("revert");

return;

}

expect.fail("Transaction did not revert");

});

Output:

$ npx hardhat test test/LibWellConvert.test.js

Compiling 1 file with 0.8.0

Compilation finished successfully

Attack Test

✓ Should fail due to ignored return value of transfer function (1232ms)

1 passing (2s)

Impact

Ignoring the return value of the transfer function could lead to potential token loss if the transfer fails for any reason, such as insufficient gas or incorrect recipient address.
This vulnerability could be exploited by attackers to cause financial harm to the contract or its users.

Tools Used

Manual VS code review

Recommendations

To mitigate this issue, it is recommended to check the return value of the transfer function and handle any failure cases appropriately. This can be achieved by reverting the transaction if the transfer fails, ensuring that token transfers are executed securely.

// LibWellConvert.sol

function safeTransfer(address recipient, uint256 amount) external {

require(C.bean().transfer(recipient, amount), "Transfer failed");

}

Updates

Lead Judging Commences

giovannidisiena Lead Judge over 1 year ago

Submission Judgement Published

Invalidated

Reason: Incorrect statement

Assigned finding tags:

Informational/Invalid

Bean transfer return

Prize pool breakdown

Total prize

100,000 USDC

nSLOC

5,776

17 USDC / LOC

High Medium

95,000 USDC

Low

5,000 USDC

Live

The contest is live. Earn rewards by submitting a finding.

Judging

Submissions are being carefully reviewed by our judges.

View all submissions

Appeals

This is your time to appeal against judgements on your submissions.

Appeals Review

Appeals are being carefully reviewed by our judges.

Rewards Distribution

The contest is complete and the rewards are being distributed.

View results

Support

FAQs

Can't find an answer? Chat with us on Discord, Twitter or Linkedin.