Beanstalk Part 2

Beanstalk

DeFiHardhat

35,000 USDC

View results

Previous Next

Submission Details

Severity: low

Invalid

Refactoring and Optimizing Functions `getPenalizedUnderlying` & `_getPenalizedUnderlying` for Enhanced Security and Gas Efficiency

mrmorningstar

Summary

The primary issue was related to the visibility and encapsulation of these functions, which could potentially impact the contract's security and gas efficiency.

Vulnerability Details

This are both identical functions, the getPenalizedUnderlying is a getter function and should be public, the _getPenalizedUnderlying should be private or internal (encapsulated) and called only within the contract.

function getPenalizedUnderlying(

address unripeToken,

uint256 amount

) public view returns (uint256 redeem) {

return

LibUnripe._getPenalizedUnderlying(unripeToken, amount, IBean(unripeToken).totalSupply());

}

function _getPenalizedUnderlying(

address unripeToken,

uint256 amount,

uint256 supply

) public view returns (uint256 redeem) {

return LibUnripe._getPenalizedUnderlying(unripeToken, amount, supply);

}

Impact

Public function can be called by anyone on the blockchain leading to various and unexpected manipulation (Price manipulation, supply and demand manipulation, etc..) Thus having two identical functions is also gas inefficient.

Tools Used

Manual review.

Recommendations

I consider this as low because they are both view functions, but I believe two identical public functions (especially when they can show data from other contract/s in the protocol) possibly could lead to various unexpected and creative vulnerabilities, also it is waste of gas.
I consider solution below as best practice, greater security for the protocol and better gas optimization

function getPenalizedUnderlying(

address unripeToken,

uint256 amount

) public view returns (uint256 redeem) {

+ return _getPenalizedUnderlying(unripeToken, amount);

- return LibUnripe._getPenalizedUnderlying(unripeToken, amount, IBean(unripeToken).totalSupply());

}

function _getPenalizedUnderlying(

address unripeToken,

uint256 amount,

- uint256 supply

) private view returns (uint256 redeem) {

+ uint256 supply = IBean(unripeToken).totalSupply();

return LibUnripe._getPenalizedUnderlying(unripeToken, amount, supply);

}

Updates

Lead Judging Commences

giovannidisiena Lead Judge about 1 year ago

Submission Judgement Published

Invalidated

Reason: Non-acceptable severity

Assigned finding tags:

Informational/Invalid

Prize pool breakdown

Total prize

35,000 USDC

nSLOC

1,991

18 USDC / LOC

High Medium

30,000 USDC

Low

1,500 USDC

Judges

3,500 USDC

Live

The contest is live. Earn rewards by submitting a finding.

Judging

Submissions are being carefully reviewed by our judges.

View all submissions

Appeals

This is your time to appeal against judgements on your submissions.

Appeals Review

Appeals are being carefully reviewed by our judges.

Rewards Distribution

The contest is complete and the rewards are being distributed.

View results

Support

FAQs

Can't find an answer? Chat with us on Discord, Twitter or Linkedin.