Beanstalk Part 2

Beanstalk

DeFiHardhat

35,000 USDC

View results

Previous Next

Submission Details

Severity: low

Valid

Deprecated pool BEAN:WETH on LibBarnRaise used as fallback

holydevoti0n

Summary

The protocol will migrate the Bean:WETH Well LP to Bean:wsETH Well LP after initializing the bip migration:

InitMigrateUnripeBeanEthToBeanSteth -> LibFertilizer -> beginBarnRaiseMigration -> switchUnderlyingToken

LibUnripe.switchUnderlyingToken(C.UNRIPE_LP, well);

This will change the underlying token of C.UNRIPE_LP to the new Bean:wsETH pool.

Vulnerability Details

Whenever getBarnRaiseWell uses a fallback underlyingToken, the correct pool to be returned should be the new one added Bean:wsETH not Bean:WETH. But currently, the Bean:WETH pool is used.

Impact

As the getBarnRaiseWell is used in several areas of the protocol like:

Token conversions(LibConvert)
Calculate BDV
Calculate the caseId

Whenever the fallback underlyingToken is used it will completely break the protocol logic as Bean:WETH is not the current underlying token after the migration.

PoC

Add the following test inside BeanEthToBeanWstethMigration.test.js -> 'Initializes migration'

describe('When the fallback unlderyingToken is used', async function () {

it('should return valid fallback token', async function () {

await this.beanstalk.connect(owner).switchUnderlyingToken(UNRIPE_LP, ethers.constants.AddressZero)

expect(await this.beanstalk.getBarnRaiseToken()).to.be.equal(WSTETH)

})

Output:

21 passing (19s)

1 failing

1) Bean:Eth to Bean:Wsteth Migration

Initializes migration

When the fallback unlderyingToken is used

should return valid fallback token:

AssertionError: expected '0xC02aaA39b223FE8D0A0e5C4F27eAD9083C7…' to equal '0x7f39C581F595B53c5cb19bD0b3f8dA6c935…'

+ expected - actual

-0xC02aaA39b223FE8D0A0e5C4F27eAD9083C756Cc2

+0x7f39C581F595B53c5cb19bD0b3f8dA6c935E2Ca0

Tools Used

Hardhard & Manual Review

Recommendations

Add the C.BEAN_WSTETH_WELL as a fallback for the underlying token on LibBarnRaise. Also, ensure C.BEAN_WSTETH_WELL will have the correct address.

return

s.u[C.UNRIPE_LP].underlyingToken == address(0)

- ? C.BEAN_ETH_WELL

+ ? C.BEAN_WSTETH_WELL

: s.u[C.UNRIPE_LP].underlyingToken;

Updates

Lead Judging Commences

giovannidisiena Lead Judge about 1 year ago

Submission Judgement Published

Invalidated

Reason: Non-acceptable severity

Assigned finding tags:

Informational/Invalid

holydevoti0n Submitter

about 1 year ago

giovannidisiena Lead Judge

about 1 year ago

holydevoti0n Submitter

about 1 year ago

holydevoti0n Submitter

about 1 year ago

giovannidisiena Lead Judge

about 1 year ago

giovannidisiena Lead Judge about 1 year ago

Submission Judgement Published

Validated

Assigned finding tags:

Fallback Well

Prize pool breakdown

Total prize

35,000 USDC

nSLOC

1,991

18 USDC / LOC

High Medium

30,000 USDC

Low

1,500 USDC

Judges

3,500 USDC

Live

The contest is live. Earn rewards by submitting a finding.

Judging

Submissions are being carefully reviewed by our judges.

View all submissions

Appeals

This is your time to appeal against judgements on your submissions.

Appeals Review

Appeals are being carefully reviewed by our judges.

Rewards Distribution

The contest is complete and the rewards are being distributed.

View results

Support

FAQs

Can't find an answer? Chat with us on Discord, Twitter or Linkedin.