Beanstalk: Dive Into Basin

Beanstalk

DeFiHardhat

12,000 USDC

View results

Previous Next

Submission Details

Severity: low

Invalid

Instantaneous reserves are incorrectly cached in `readInstantaneousReserves()`

tricko

Summary

Instantaneous reserves are incorrectly cached in MultiFlowPump.readInstantaneousReserves() after calls to MultiFlowPump.update(), thus resulting in incorrect instantaneous reserve values on some situations.

Vulnerability Details

When MultiFlowPump.readInstantaneousReserves() is called it does fetch the current reserves from the well contract, then it reads the last reserves stored and checks the difference between the current block timestamp and the last timestamp in which reserves were updated (deltaTimestamp). If deltaTimestamp == 0, then the stored EMA values store are returned.

However MultiFlowPump.update() only updates once per block. Further calls from the same Well to update() will return early (if (deltaTimestamp == 0) return;). Thus once MultiFlowPump.update() is called, no more updates to the reserves are going to be registered in that same block.

Therefore if there are any modification to the Well state after the MultiFlowPump.update(), (swaps, adding/removing liquidity) the reserves will be updated at the Well, but those values stored at the pump will be outdated until the end of the block. Thus any call to MultiFlowPump.readInstantaneousReserves() on this situations will return outdated reserve values.

Consider the following scenario, all steps occur on the same block.

MultiFlowPump.update() is called, updating EMA and cumulative reserves.
Swap is executed at the Well, altering its internal reserves
MultiFlowPump.readInstantaneousReserves() is called, due to deltaTimestamp == 0 it will return instead of using the values retrieved from the Well contract, however because of the previous swap, the reserve values stored in the Pump are now outdated.

As described above calls to MultiFlowPump.readInstantaneousReserves() after MultiFlowPump.update() has been called may result in outdated reserve values (depending if some action like swaps has been executed in the Well). Considering that the readInstantaneousReserves() should return instantaneous values, due to this incorrect caching, it will return outdated reserve values on some circumstances.

Impact

If MultiFlowPump.readInstantaneousReserves() is called after MultiFlowPump.update() on the same block, then the reserves values returned might be incorrect due to caching.

Tools Used

Manual Review

Recommendations

Consider using the reserve values fetched from the Well contract on all conditions, even when deltaTimestamp == 0.

Updates

Lead Judging Commences

giovannidisiena Lead Judge about 1 year ago

Submission Judgement Published

Invalidated

Reason: Design choice

Assigned finding tags:

Informational/Invalid

Prize pool breakdown

Total prize

12,000 USDC

nSLOC

479

25 USDC / LOC

High Medium

10,000 USDC

Low

1,000 USDC

Judges

1,000 USDC

Live

The contest is live. Earn rewards by submitting a finding.

Judging

Submissions are being carefully reviewed by our judges.

View all submissions

Appeals

This is your time to appeal against judgements on your submissions.

Appeals Review

Appeals are being carefully reviewed by our judges.

Rewards Distribution

The contest is complete and the rewards are being distributed.

View results

Support

FAQs

Can't find an answer? Chat with us on Discord, Twitter or Linkedin.