Beanstalk Part 2

Beanstalk

DeFiHardhat

35,000 USDC

View results

Previous Next

Submission Details

Severity: low

Invalid

Incorrect value returned in `LibConvert.getMaxAmountIn()`

tigerfrake

Summary

In LibConvert.getMaxAmountIn(), if (tokenIn == C.CURVE_BEAN_METAPOOL && tokenOut == C.BEAN), the function returns LibCurveConvert.lpToPeg(C.CURVE_BEAN_METAPOOL);.

However the lpToPeg() function called from LibCurveConvert returns 0 for the wrong condition.

Vulnerability Details

LibConvert.getMaxAmountIn():

https://github.com/Cyfrin/2024-04-beanstalk-2/blob/main/protocol%2Fcontracts%2Flibraries%2FConvert%2FLibConvert.sol#L77-L78

if (tokenIn == C.CURVE_BEAN_METAPOOL && tokenOut == C.BEAN)

return LibCurveConvert.lpToPeg(C.CURVE_BEAN_METAPOOL); //@audit Invoked here

According to Developer comment on the LibCurveConvert.lpToPeg(), the function is designed to return 0 if above peg

* @dev Returns 0 if above peg.

However the function does quite the opposite.

https://github.com/Cyfrin/2024-04-beanstalk-2/blob/main/protocol%2Fcontracts%2Flibraries%2FConvert%2FLibCurveConvert.sol#L41-L46

function lpToPeg(address pool) internal view returns (uint256 lp) {

uint256[2] memory balances = ICurvePool(pool).get_balances();

uint256 xp1 = _getBeansAtPeg(pool, balances);

if (balances[0] <= xp1) return 0; // @audit Wrong condition

return LibMetaCurveConvert.lpToPeg(balances, xp1);

}

The current condition if (balances[0] <= xp1) checks if the pool is at or below the peg then returns 0, which is the opposite of the intended behavior.

Impact

This could result in incorrect decisions about when to add or remove liquidity. If the function indicates that the pool is at or below peg when it's actually above peg or vise-versa, liquidity may not be added when it's needed to stabilize the pool's price, potentially leading to price volatility and impermanent loss.

Tools Used

Manual Review

Recommendations

To correct this, the condition should be changed to check if the pool is above the peg. This can be done by ensuring that the condition returns 0 when the pool's balance is greater than the amount of BEAN at the peg (xp1).

/**

* @notice Calculate the amount of liquidity needed to be removed as Beans to return `pool` back to peg.

* @dev Returns 0 if above peg.

function lpToPeg(address pool) internal view returns (uint256 lp) {

uint256[2] memory balances = ICurvePool(pool).get_balances();

uint256 xp1 = _getBeansAtPeg(pool, balances);

// Adjusted condition to return 0 if the pool is above peg

if (balances[0] > xp1) return 0; // @audit Correct condition

return LibMetaCurveConvert.lpToPeg(balances, xp1);

}

Updates

Lead Judging Commences

giovannidisiena Lead Judge over 1 year ago

Submission Judgement Published

Invalidated

Reason: Non-acceptable severity

Assigned finding tags:

Informational/Invalid

Prize pool breakdown

Total prize

35,000 USDC

nSLOC

1,991

18 USDC / LOC

High Medium

30,000 USDC

Low

1,500 USDC

Judges

3,500 USDC

Live

The contest is live. Earn rewards by submitting a finding.

Judging

Submissions are being carefully reviewed by our judges.

View all submissions

Appeals

This is your time to appeal against judgements on your submissions.

Appeals Review

Appeals are being carefully reviewed by our judges.

Rewards Distribution

The contest is complete and the rewards are being distributed.

View results

Support

FAQs

Can't find an answer? Chat with us on Discord, Twitter or Linkedin.