Beanstalk Part 2

Beanstalk

DeFiHardhat

35,000 USDC

View results

Previous Next

Submission Details

Severity: low

Invalid

Dos due to Division by zero Price

0xaman

Summary

When user call mintFertilizer function, the contract divide tokenAmountIn by Price of BarinRaise token to get amount of Fertilizer token to mint .However it does not check if the Price Return from Oracle is zero.

Vulnerability Details

The Contract Calculate the amount of tokens to be minted by dividing tokenAmountIn by Price of BarinRaise token. To fetch the price the contract calls LibUsdOracle.getUsdPrice(). The LibUsdOracle.getUsdPrice can return zero if the Price is not valid or steal.
following function will return fertilizerAmountOut amount :

function _getMintFertilizerOut(

uint256 tokenAmountIn,

address barnRaiseToken

) public view returns (uint256 fertilizerAmountOut) {

fertilizerAmountOut = tokenAmountIn.div(

LibUsdOracle.getUsdPrice(barnRaiseToken)

);

}

The getUsdPrice() function code :

function getUsdPrice(address token, uint256 lookback) internal view returns (uint256) {

if (token == C.WETH) {

uint256 ethUsdPrice = LibEthUsdOracle.getEthUsdPrice(lookback);

@> if (ethUsdPrice == 0) return 0;

return uint256(1e24).div(ethUsdPrice); // 4586021100

}

if (token == C.WSTETH) {

uint256 wstethUsdPrice = LibWstethUsdOracle.getWstethUsdPrice(lookback);

@> if (wstethUsdPrice == 0) return 0;

return uint256(1e24).div(wstethUsdPrice);

}

revert("Oracle: Token not supported.");

}

As it can be seen from getUsdPrice that it will return 0 if wstethUsdPrice or ethUsdPrice is 0.

Impact

It will Dos, although the zero return case is already handled in mintFertilizer function via require(fertilizerAmountOut > 0, "Fertilizer: None bought.")

Tools Used

Manual Review

Recommendations

check that if getUsdPrice return 0 , then return 0. otherwise do the calculation

diff --git a/protocol/contracts/beanstalk/barn/FertilizerFacet.sol b/protocol/contracts/beanstalk/barn/FertilizerFacet.sol

index 4ede650..2ff5671 100644

--- a/protocol/contracts/beanstalk/barn/FertilizerFacet.sol

+++ b/protocol/contracts/beanstalk/barn/FertilizerFacet.sol

@@ -114,6 +121,8 @@ contract FertilizerFacet {

uint256 tokenAmountIn,

address barnRaiseToken

) public view returns (uint256 fertilizerAmountOut) {

+ uint256 usdPrice =LibUsdOracle.getUsdPrice(barnRaiseToken);

+ if (usdPrice == 0) return 0;

fertilizerAmountOut = tokenAmountIn.div(

LibUsdOracle.getUsdPrice(barnRaiseToken)

Updates

Lead Judging Commences

giovannidisiena Lead Judge over 1 year ago

Submission Judgement Published

Invalidated

Reason: Non-acceptable severity

Assigned finding tags:

FertilizerFacet DoS

Informational/Invalid

Prize pool breakdown

Total prize

35,000 USDC

nSLOC

1,991

18 USDC / LOC

High Medium

30,000 USDC

Low

1,500 USDC

Judges

3,500 USDC

Live

The contest is live. Earn rewards by submitting a finding.

Judging

Submissions are being carefully reviewed by our judges.

View all submissions

Appeals

This is your time to appeal against judgements on your submissions.

Appeals Review

Appeals are being carefully reviewed by our judges.

Rewards Distribution

The contest is complete and the rewards are being distributed.

View results

Support

FAQs

Can't find an answer? Chat with us on Discord, Twitter or Linkedin.