Beanstalk Part 2
Beanstalk
DeFiHardhat
35,000 USDC
View results
Previous Next
Submission Details
Severity: low
Invalid

Removed ERC20 token from the Silo Whitelist can't be whitelisted again.

0xsandy

Summary

Removed ERC20 token from the Silo Whitelist can't be whitelisted again.

Vulnerability Details

dewhitelistToken() function of LibWhiteList.sol contract is used to remove an ERC-20 token from the Silo Whitelist but it doesn't delete the milestoneSeason value.

./LibWhitelist.sol#dewhitelistToken()
function dewhitelistToken(address token) internal {
AppStorage storage s = LibAppStorage.diamondStorage();
// before dewhitelisting, verify that `libWhitelistedTokens` are updated.
LibWhitelistedTokens.updateWhitelistStatus(token, false, false, false);
// set the stalkEarnedPerSeason to 1 and update milestone stem.
// stalkEarnedPerSeason requires a min value of 1.
updateStalkPerBdvPerSeasonForToken(token, 1);
// delete the selector and encodeType.
delete s.ss[token].selector;
delete s.ss[token].encodeType;
// delete gaugePoints, gaugePointSelector, liquidityWeightSelector, and optimalPercentDepositedBdv.
delete s.ss[token].gaugePoints;
delete s.ss[token].gpSelector;
delete s.ss[token].lwSelector;
delete s.ss[token].optimalPercentDepositedBdv;
emit DewhitelistToken(token);
}

Thus, if whitelistToken() function is called again for token which is already removed from the silo whitelist to whitelist it again,

require(s.ss[token].milestoneSeason == 0, "Whitelist: Token already whitelisted");

The above check in the whitelistToken() function will revert as s.ss[token].milestoneSeason value is not deleted in the dewhitelistToken() function.

Impact

Removed ERC20 token from the Silo Whitelist can't be whitelisted again.

Tools Used

Manual Analysis

Recommendations

In the dewhitelistToken() function, add the following:

./LibWhitelist.sol#dewhitelistToken()
function dewhitelistToken(address token) internal {
AppStorage storage s = LibAppStorage.diamondStorage();
// before dewhitelisting, verify that `libWhitelistedTokens` are updated.
LibWhitelistedTokens.updateWhitelistStatus(token, false, false, false);
// set the stalkEarnedPerSeason to 1 and update milestone stem.
// stalkEarnedPerSeason requires a min value of 1.
updateStalkPerBdvPerSeasonForToken(token, 1);
// delete the selector and encodeType.
delete s.ss[token].selector;
delete s.ss[token].encodeType;
// delete gaugePoints, gaugePointSelector, liquidityWeightSelector, and optimalPercentDepositedBdv.
delete s.ss[token].gaugePoints;
delete s.ss[token].gpSelector;
delete s.ss[token].lwSelector;
delete s.ss[token].optimalPercentDepositedBdv;
+ delete s.ss[token].milestoneSeason;
emit DewhitelistToken(token);
}
Updates

Lead Judging Commences

giovannidisiena Lead Judge over 1 year ago
Submission Judgement Published
Invalidated
Reason: Known issue
Assigned finding tags:

Informational/Invalid

Support

FAQs

Can't find an answer? Chat with us on Discord, Twitter or Linkedin.