Beanstalk Part 2
Beanstalk
DeFiHardhat
35,000 USDC
View results
Previous Next
Submission Details
Severity: low
Invalid

`LibWhitelistedTokens` not updated to include the new token in `updateOptimalPercentDepositedBdvForToken()`.

tigerfrake

Summary

The updateOptimalPercentDepositedBdvForToken() is used to update optimalPercentDepositedBdv token. According to Dev comments:

* @dev {LibWhitelistedTokens} must be updated to include the new token.

However, this function does not update the LibWhitelistedTokens to include the new token when called.

Vulnerability Details

  • https://github.com/Cyfrin/2024-04-beanstalk-2/blob/27ff8c87c9164c1fbff054be5f22e56f86cdf127/protocol/contracts/libraries/Silo/LibWhitelist.sol#L146C14-L152

function updateOptimalPercentDepositedBdvForToken(
address token,
uint64 optimalPercentDepositedBdv
) internal {
Storage.SiloSettings storage ss = LibAppStorage.diamondStorage().ss[token];
updateGaugeForToken(token, ss.gpSelector, ss.lwSelector, optimalPercentDepositedBdv);
}

This calls the updateGaugeForToken() internally which also requires that LibWhitelistedTokens must be updated to include the new token:

  • https://github.com/Cyfrin/2024-04-beanstalk-2/blob/27ff8c87c9164c1fbff054be5f22e56f86cdf127/protocol/contracts/libraries/Silo/LibWhitelist.sol#L156-L179

* @dev {LibWhitelistedTokens} must be updated to include the new token.
*/
function updateGaugeForToken(
address token,
bytes4 gaugePointSelector,
bytes4 liquidityWeightSelector,
uint64 optimalPercentDepositedBdv
) internal {
Storage.SiloSettings storage ss = LibAppStorage.diamondStorage().ss[token];
require(ss.selector != 0, "Whitelist: Token not whitelisted in Silo");
verifyGaugePointSelector(gaugePointSelector);
verifyLiquidityWeightSelector(liquidityWeightSelector);
ss.gpSelector = gaugePointSelector;
ss.lwSelector = liquidityWeightSelector;
ss.optimalPercentDepositedBdv = optimalPercentDepositedBdv;
emit UpdateGaugeSettings(
token,
gaugePointSelector,
liquidityWeightSelector,
optimalPercentDepositedBdv
);
}

Impact

LibWhitelistedTokens is used to determine which tokens are whitelisted within the system. Not updating it could lead to inconsistencies as users might expect the new token to be whitelisted, but it won't be included until LibWhitelistedTokens is manually updated.

Tools Used

Manual Review

Recommendations

It's essential to ensure that all relevant components are updated and synchronized when making changes to token-related functionality.
Since the updateOptimalPercentDepositedBdvForToken() calls the updateGaugeForToken() internally which also requires that LibWhitelistedTokens must be updated to include the new token, the update therefore should be done in the updateGaugeForToken().

function updateGaugeForToken(
address token,
bytes4 gaugePointSelector,
bytes4 liquidityWeightSelector,
uint64 optimalPercentDepositedBdv
) internal {
Storage.SiloSettings storage ss = LibAppStorage.diamondStorage().ss[token];
require(ss.selector != 0, "Whitelist: Token not whitelisted in Silo");
verifyGaugePointSelector(gaugePointSelector);
verifyLiquidityWeightSelector(liquidityWeightSelector);
LibWhitelistedTokens.updateWhitelistStatus(token, true, true, true); // @audit LibWhitelistedTokens updated
ss.gpSelector = gaugePointSelector;
ss.lwSelector = liquidityWeightSelector;
ss.optimalPercentDepositedBdv = optimalPercentDepositedBdv;
emit UpdateGaugeSettings(
token,
gaugePointSelector,
liquidityWeightSelector,
optimalPercentDepositedBdv
);
}
Updates

Lead Judging Commences

giovannidisiena Lead Judge over 1 year ago
Submission Judgement Published
Invalidated
Reason: Incorrect statement
Assigned finding tags:

Informational/Invalid

Support

FAQs

Can't find an answer? Chat with us on Discord, Twitter or Linkedin.