Beanstalk Part 2

Beanstalk

DeFiHardhat

35,000 USDC

View results

Previous Next

Submission Details

Severity: low

Invalid

InitMigrateUnripeBeanEthToBeanSteth.init() may be front-run

tigerfrake

Summary

The InitMigrateUnripeBeanEthToBeanSteth.init() has no access control mechanism which allows it to be called by any arbitrary user.

Vulnerability Details

function init() external {

// Turn off Bean:Eth Minting while Multi Flow Pump catches up

delete s.wellOracleSnapshots[C.BEAN_ETH_WELL];

s.season.beanEthStartMintingSeason = s.season.current + BEAN_ETH_PUMP_CATCH_UP_SEASONS;

LibWhitelist.whitelistToken(

C.BEAN_WSTETH_WELL,

BDVFacet.wellBdv.selector,

STALK_ISSUED_PER_BDV,

0, // No need to set Stalk issued per BDV

0x01,

IGaugePointFacet.defaultGaugePointFunction.selector,

ILiquidityWeightFacet.maxWeight.selector,

BEAN_WSTETH_INITIAL_GAUGE_POINTS,

OPTIMAL_PERCENT_DEPOSITED_BDV

);

LibWhitelist.updateOptimalPercentDepositedBdvForToken(

C.BEAN_ETH_WELL,

MAX_PERCENT_DEPOSITED_BDV - OPTIMAL_PERCENT_DEPOSITED_BDV

);

LibFertilizer.beginBarnRaiseMigration(C.BEAN_WSTETH_WELL);

}

According to Natspec this function:

/**

* Initializes the Migration of the Unripe LP underlying tokens from Bean:Eth to Bean:Steth.

* It:

* - Turns off Bean:Eth Minting while Multi Flow Pump catches up

* - Whitelists Bean:WstETH

* - Updates the optimal percent deposited for Bean:Eth

* - Migrates the Unripe LP underlying tokens from Bean:Eth to Bean:Wsteth

Impact

Without access control, the init() function can be called by any external account or contract, potentially leading to unauthorized initialization

Tools Used

Manual Review

Recommendations

Use access control modifiers such as onlyOwner, onlyAdmin, or custom modifiers to restrict access to privileged functions like init().
Only designated accounts or contracts should have permission to call these functions.

Updates

Lead Judging Commences

giovannidisiena Lead Judge about 1 year ago

Submission Judgement Published

Invalidated

Reason: Incorrect statement

Assigned finding tags:

Init access control

Prize pool breakdown

Total prize

35,000 USDC

nSLOC

1,991

18 USDC / LOC

High Medium

30,000 USDC

Low

1,500 USDC

Judges

3,500 USDC

Live

The contest is live. Earn rewards by submitting a finding.

Judging

Submissions are being carefully reviewed by our judges.

View all submissions

Appeals

This is your time to appeal against judgements on your submissions.

Appeals Review

Appeals are being carefully reviewed by our judges.

Rewards Distribution

The contest is complete and the rewards are being distributed.

View results

Support

FAQs

Can't find an answer? Chat with us on Discord, Twitter or Linkedin.