DeFiHardhat
35,000 USDC
View results
Submission Details
Severity: low
Invalid

InitMigrateUnripeBeanEthToBeanSteth.init() may be front-run

Summary

The InitMigrateUnripeBeanEthToBeanSteth.init() has no access control mechanism which allows it to be called by any arbitrary user.

Vulnerability Details

function init() external {
// Turn off Bean:Eth Minting while Multi Flow Pump catches up
delete s.wellOracleSnapshots[C.BEAN_ETH_WELL];
s.season.beanEthStartMintingSeason = s.season.current + BEAN_ETH_PUMP_CATCH_UP_SEASONS;
LibWhitelist.whitelistToken(
C.BEAN_WSTETH_WELL,
BDVFacet.wellBdv.selector,
STALK_ISSUED_PER_BDV,
0, // No need to set Stalk issued per BDV
0x01,
IGaugePointFacet.defaultGaugePointFunction.selector,
ILiquidityWeightFacet.maxWeight.selector,
BEAN_WSTETH_INITIAL_GAUGE_POINTS,
OPTIMAL_PERCENT_DEPOSITED_BDV
);
LibWhitelist.updateOptimalPercentDepositedBdvForToken(
C.BEAN_ETH_WELL,
MAX_PERCENT_DEPOSITED_BDV - OPTIMAL_PERCENT_DEPOSITED_BDV
);
LibFertilizer.beginBarnRaiseMigration(C.BEAN_WSTETH_WELL);
}

According to Natspec this function:

/**
* Initializes the Migration of the Unripe LP underlying tokens from Bean:Eth to Bean:Steth.
* It:
* - Turns off Bean:Eth Minting while Multi Flow Pump catches up
* - Whitelists Bean:WstETH
* - Updates the optimal percent deposited for Bean:Eth
* - Migrates the Unripe LP underlying tokens from Bean:Eth to Bean:Wsteth
*/

Impact

Without access control, the init() function can be called by any external account or contract, potentially leading to unauthorized initialization

Tools Used

Manual Review

Recommendations

Use access control modifiers such as onlyOwner, onlyAdmin, or custom modifiers to restrict access to privileged functions like init().
Only designated accounts or contracts should have permission to call these functions.

Updates

Lead Judging Commences

giovannidisiena Lead Judge about 1 year ago
Submission Judgement Published
Invalidated
Reason: Incorrect statement
Assigned finding tags:

Init access control

Support

FAQs

Can't find an answer? Chat with us on Discord, Twitter or Linkedin.