Beanstalk Part 2
Beanstalk
DeFiHardhat
35,000 USDC
View results
Previous Next
Submission Details
Severity: low
Invalid

In a `Diamond` architecture all state variables should be declared in `AppStorage`

bube

Summary

The protocol uses the Diamond proxy pattern, but there are structs that are declared outside the AppStorage.

Vulnerability Details

The Beanstalk protocol is upgradeable and uses the Diamond proxy pattern. In a Diamond (multi-facet) architecture, shared state variables are typically stored in a central location, such as an AppStorage struct, to ensure that all Facets can access and modify the same state consistently. This is a key feature of the Diamond Standard (EIP-2535):
https://eips.ethereum.org/EIPS/eip-2535#storage

There are two structs that are declared outside of AppStorage. The first one is the Supply struct in the FertilizerFacet:

struct Supply {
uint128 endBpf;
uint256 supply;
}

And the second one is TwapVariables struct defined in the LibChainlinkOracle:

struct TwapVariables {
uint256 cumulativePrice;
uint256 endTimestamp;
uint256 lastTimestamp;
}

Impact

The variable states that are shared accross different facets should be declared in the AppStorage.

Tools Used

Manual Review

Recommendations

Declare the Supply and TwapVariables structs in the AppStorage.

Updates

Lead Judging Commences

giovannidisiena Lead Judge over 1 year ago
Submission Judgement Published
Invalidated
Reason: Non-acceptable severity
Assigned finding tags:

Informational/Invalid

Support

FAQs

Can't find an answer? Chat with us on Discord, Twitter or Linkedin.