Beanstalk Part 2

Beanstalk

DeFiHardhat

35,000 USDC

View results

Previous Next

Submission Details

Severity: low

Valid

`LibUnripeConvert.getBeanAmountOut()` uses a wrong total supply.

bladesec

Summary

getBeanAmountOut() uses IBean(C.UNRIPE_BEAN).totalSupply() wrongly instead of IBean(C.UNRIPE_LP).totalSupply().

Vulnerability Details

getBeanAmountOut() calculates the amount of UNRIPE_BEAN that can be exchanged with UNRIPE_LP.

For that, it calls LibUnripe.unripeToUnderlying() to get the amount of UNRIPE_LP underlying from UNRIPE_LP.

function getBeanAmountOut(uint256 amountIn)

internal

view

returns (uint256 bean)

{

uint256 lp = LibUnripe.unripeToUnderlying(

C.UNRIPE_LP,

amountIn,

IBean(C.UNRIPE_BEAN).totalSupply() //@audit should use UNRIPE_LP

);

bean = LibWellConvert.getBeanAmountOut(LibBarnRaise.getBarnRaiseWell(), lp);

bean = LibUnripe

.underlyingToUnripe(C.UNRIPE_BEAN, bean)

.mul(LibUnripe.percentBeansRecapped())

.div(LibUnripe.percentLPRecapped());

}

function unripeToUnderlying(

address unripeToken,

uint256 unripe,

uint256 supply

) internal view returns (uint256 underlying) {

AppStorage storage s = LibAppStorage.diamondStorage();

underlying = s.u[unripeToken].balanceOfUnderlying.mul(unripe).div(supply);

}

In unripeToUnderlying(), it calculates the underlying amount proportionally with UNRIPE_LP supply and lp amount to swap.

But in getBeanAmountOut(), it uses IBean(C.UNRIPE_BEAN).totalSupply() instead of IBean(C.UNRIPE_LP).totalSupply() and the output will be wrong.

As getBeanAmountOut() is used in ConvertGettersFacet.getAmountOut(), users may get a wrong estimate during UNRIPE_LP to UNRIPE_BEAN conversion.

Impact

When users estimate an output amount using getAmountOut(), they will get a wrong result and it will make them impossible to set a proper minAmountOut.

Tools Used

Manual Review

Recommendations

getBeanAmountOut() should be modified like this.

function getBeanAmountOut(uint256 amountIn)

internal

view

returns (uint256 bean)

{

uint256 lp = LibUnripe.unripeToUnderlying(

C.UNRIPE_LP,

amountIn,

+ IBean(C.UNRIPE_LP).totalSupply()

);

}

Updates

Lead Judging Commences

giovannidisiena Lead Judge

over 1 year ago

giovannidisiena Lead Judge over 1 year ago

Submission Judgement Published

Validated

Assigned finding tags:

Unripe convert incorrect supply

Prize pool breakdown

Total prize

35,000 USDC

nSLOC

1,991

18 USDC / LOC

High Medium

30,000 USDC

Low

1,500 USDC

Judges

3,500 USDC

Live

The contest is live. Earn rewards by submitting a finding.

Judging

Submissions are being carefully reviewed by our judges.

View all submissions

Appeals

This is your time to appeal against judgements on your submissions.

Appeals Review

Appeals are being carefully reviewed by our judges.

Rewards Distribution

The contest is complete and the rewards are being distributed.

View results

Support

FAQs

Can't find an answer? Chat with us on Discord, Twitter or Linkedin.