Beanstalk: Dive Into Basin
Beanstalk
DeFiHardhat
12,000 USDC
View results
Previous Next
Submission Details
Severity: low
Invalid

Missing check for the invalid j arg

0xbug

Summary

It assumes the length of the reserves array is 2, so j argument should be less than 2 but there is no checking for it.
If the j argument isn't less than 2 and the reserves array has a different size than expected (not 2), it could lead to unexpected behavior or errors in these functions.

Vulnerability Details

https://github.com/Cyfrin/2024-04-Beanstalk-DIB/blob/main/src/functions/ConstantProduct2.sol#L92
https://github.com/Cyfrin/2024-04-Beanstalk-DIB/blob/main/src/functions/ConstantProduct2.sol#L105
https://github.com/Cyfrin/2024-04-Beanstalk-DIB/blob/main/src/functions/ConstantProduct2.sol#L114

function calcReserveAtRatioSwap(
uint256[] calldata reserves,
uint256 j,
uint256[] calldata ratios,
bytes calldata
) external pure override returns (uint256 reserve) {
uint256 i = j == 1 ? 0 : 1; // @audit missing check for j
// use 512 muldiv for last mul to avoid overflow
reserve = (reserves[i] * reserves[j]).mulDiv(ratios[j], ratios[i]).sqrt();
}

Impact

It could cause unexpected behavior or errors.

Tools Used

Manual

Recommendations

Consider adding checks to ensure both the reserves array length and the j parameter meet the expected criteria.

if (j >= 2) {
revert InvalidJArgument();
}
if (reserves.length != 2) revert("");
Updates

Lead Judging Commences

giovannidisiena Lead Judge about 1 year ago
Submission Judgement Published
Invalidated
Reason: Design choice
Assigned finding tags:

Informational/Invalid

Support

FAQs

Can't find an answer? Chat with us on Discord, Twitter or Linkedin.