DeFiHardhat
35,000 USDC
View results
Submission Details
Severity: low
Valid

Deprecated pool BEAN:WETH on LibBarnRaise used as fallback

Summary

The protocol will migrate the Bean:WETH Well LP to Bean:wsETH Well LP after initializing the bip migration:

InitMigrateUnripeBeanEthToBeanSteth -> LibFertilizer -> beginBarnRaiseMigration -> switchUnderlyingToken

LibUnripe.switchUnderlyingToken(C.UNRIPE_LP, well);

This will change the underlying token of C.UNRIPE_LP to the new Bean:wsETH pool.

Vulnerability Details

Whenever getBarnRaiseWell uses a fallback underlyingToken, the correct pool to be returned should be the new one added Bean:wsETH not Bean:WETH. But currently, the Bean:WETH pool is used.

Impact

As the getBarnRaiseWell is used in several areas of the protocol like:

  • Token conversions(LibConvert)

  • Calculate BDV

  • Calculate the caseId

Whenever the fallback underlyingToken is used it will completely break the protocol logic as Bean:WETH is not the current underlying token after the migration.

PoC

Add the following test inside BeanEthToBeanWstethMigration.test.js -> 'Initializes migration'

describe('When the fallback unlderyingToken is used', async function () {
it('should return valid fallback token', async function () {
await this.beanstalk.connect(owner).switchUnderlyingToken(UNRIPE_LP, ethers.constants.AddressZero)
expect(await this.beanstalk.getBarnRaiseToken()).to.be.equal(WSTETH)
})
})

Output:

21 passing (19s)
1 failing
1) Bean:Eth to Bean:Wsteth Migration
Initializes migration
When the fallback unlderyingToken is used
should return valid fallback token:
AssertionError: expected '0xC02aaA39b223FE8D0A0e5C4F27eAD9083C7…' to equal '0x7f39C581F595B53c5cb19bD0b3f8dA6c935…'
+ expected - actual
-0xC02aaA39b223FE8D0A0e5C4F27eAD9083C756Cc2
+0x7f39C581F595B53c5cb19bD0b3f8dA6c935E2Ca0

Tools Used

Hardhard & Manual Review

Recommendations

Add the C.BEAN_WSTETH_WELL as a fallback for the underlying token on LibBarnRaise. Also, ensure C.BEAN_WSTETH_WELL will have the correct address.

return
s.u[C.UNRIPE_LP].underlyingToken == address(0)
- ? C.BEAN_ETH_WELL
+ ? C.BEAN_WSTETH_WELL
: s.u[C.UNRIPE_LP].underlyingToken;
Updates

Lead Judging Commences

giovannidisiena Lead Judge about 1 year ago
Submission Judgement Published
Invalidated
Reason: Non-acceptable severity
Assigned finding tags:

Informational/Invalid

holydevoti0n Submitter
about 1 year ago
giovannidisiena Lead Judge
about 1 year ago
holydevoti0n Submitter
about 1 year ago
holydevoti0n Submitter
about 1 year ago
giovannidisiena Lead Judge
about 1 year ago
giovannidisiena Lead Judge about 1 year ago
Submission Judgement Published
Validated
Assigned finding tags:

Fallback Well

Support

FAQs

Can't find an answer? Chat with us on Discord, Twitter or Linkedin.