Beanstalk: Dive Into Basin

Beanstalk

DeFiHardhat

12,000 USDC

View results

Previous Next

Submission Details

Severity: low

Valid

Using bytes number instead of slots number in the next slot calculation

pontifex

Summary

The MultiFlowPump._getSlotsOffset function correctly calculates "the starting byte of the slot that contains the nth element of an array". But this is not the correct value for the use cases where the function is invoked. So storage values are stored in unexpected slots.

Vulnerability Details

The MultiFlowPump._getSlotsOffset function is invoked to calculate a slot number after reserves.

function update(uint256[] calldata reserves, bytes calldata data) external {

<...>

pumpState.lastReserves = _capReserves(msg.sender, pumpState.lastReserves, reserves, capExponent, crp);

// Read: Cumulative & EMA Reserves

>> // Start at the slot after `pumpState.lastReserves`

>> uint256 numSlots = _getSlotsOffset(numberOfReserves);

assembly {

slot := add(slot, numSlots)

}

pumpState.emaReserves = slot.readBytes16(numberOfReserves);

assembly {

slot := add(slot, numSlots)

}

But the _getSlotsOffset returns an offset in the bytes number instead of the slots number which is necessary for the store. So the actual offset is 32 times more than the expected one:

/**

* @dev Get the starting byte of the slot that contains the `n`th element of an array.

function _getSlotsOffset(uint256 numberOfReserves) internal pure returns (uint256 _slotsOffset) {

_slotsOffset = ((numberOfReserves - 1) / 2 + 1) << 5;

}

Impact

Unintended behavior

Tools used

Manual Review

Recommendations

Consider using slots number instead of bytes

/**

- * @dev Get the starting byte of the slot that contains the `n`th element of an array.

+ * @dev Get the slot number that contains the `n`th element of an array.

function _getSlotsOffset(uint256 numberOfReserves) internal pure returns (uint256 _slotsOffset) {

- _slotsOffset = ((numberOfReserves - 1) / 2 + 1) << 5;

+ _slotsOffset = ((numberOfReserves - 1) / 2 + 1);

}

Updates

Lead Judging Commences

giovannidisiena Lead Judge about 1 year ago

Submission Judgement Published

Validated

Assigned finding tags:

Slot offset

giovannidisiena Lead Judge

about 1 year ago

giovannidisiena Lead Judge about 1 year ago

Submission Judgement Published

Validated

Assigned finding tags:

Slot offset

Prize pool breakdown

Total prize

12,000 USDC

nSLOC

479

25 USDC / LOC

High Medium

10,000 USDC

Low

1,000 USDC

Judges

1,000 USDC

Live

The contest is live. Earn rewards by submitting a finding.

Judging

Submissions are being carefully reviewed by our judges.

View all submissions

Appeals

This is your time to appeal against judgements on your submissions.

Appeals Review

Appeals are being carefully reviewed by our judges.

Rewards Distribution

The contest is complete and the rewards are being distributed.

View results

Support

FAQs

Can't find an answer? Chat with us on Discord, Twitter or Linkedin.