Beanstalk Part 2
Beanstalk
DeFiHardhat
35,000 USDC
View results
Previous Next
Submission Details
Severity: low
Invalid

Switch of underlying tokens can be blocked at the cost of 1wei

inh3l

Summary

Malicious users can DOS the switching of underlying token of an unripe token by donating at least 1 wei of the previous underlying token.

Vulnerability Details

The switchUnderlyingToken function allows the contract owner to switch the ripe(underlying) token of an unripe token.
The issue with this function is that it checks for the current balance of the underlying token is 0 before the underlying token can be switched.

function switchUnderlyingToken(
address unripeToken,
address newUnderlyingToken
) external payable {
LibDiamond.enforceIsContractOwner();
require(s.u[unripeToken].balanceOfUnderlying == 0, "Unripe: Underlying balance > 0"); //@note
LibUnripe.switchUnderlyingToken(unripeToken, newUnderlyingToken);
}

This causes that if for any important reason(depeg events, blackswan, etc), the underlying token needs to be changed, a malicicous user can send the underlying tokens to the contract, causing the balance ot always be greater than 0 thereby preventing the switch. The issue is further excarcebated by the absence of a recover/sweep token function, which could have been triggered to clear the token balance before the switch.

Impact

DOS of a major contract function, which can lead to unexpected behaviours.

Tools Used

Manual Review

Recommendations

Two ways to fix this:

  1. Introducing an escrow mechanism to which the previous underlying tokens can be sent and users can go claim it.

  2. Introducing a sweep function to clear the contract balance before switching tokens.

Updates

Lead Judging Commences

giovannidisiena Lead Judge over 1 year ago
Submission Judgement Published
Invalidated
Reason: Incorrect statement
Assigned finding tags:

Informational/Invalid

Support

FAQs

Can't find an answer? Chat with us on Discord, Twitter or Linkedin.