Beanstalk Part 3

Beanstalk

DeFiHardhat

21,000 USDC

View results

Previous Next

Submission Details

Severity: low

Valid

`Sun.setSoilBelowPeg()` wouldn't work as intended.

bladesec

Summary

Sun.setSoilBelowPeg() might use an unintended soil amount when below peg.

Vulnerability Details

During the improvements, setSoilBelowPeg() uses a minimum amount of twaDeltaB and instDeltaB to prevent unnecessary minting of Soil.

function setSoilBelowPeg(int256 twaDeltaB) internal {

// Calculate deltaB from instantaneous reserves of all whitelisted Wells.

int256 instDeltaB;

address[] memory tokens = LibWhitelistedTokens.getWhitelistedWellLpTokens();

for (uint256 i = 0; i < tokens.length; i++) {

int256 wellInstDeltaB = LibWellMinting.instantaneousDeltaB(tokens[i]);

instDeltaB = instDeltaB.add(wellInstDeltaB);

}

// Set new soil.

setSoil(Math.min(uint256(-twaDeltaB), uint256(-instDeltaB)));

}

Here is a detailed explanation of Soil Issuance Update.

Soil Issuance Update

Consider an example where Beanstalk is at -300k deltaB for the first 58 minutes of a Season. At the 58th minute, i.e., 10 blocks before the next gm call, a Farmer buys and Sows 200k Beans, bringing the current deltaB to -100k.

Assuming no other trades in the final 2 minutes of the Season, the Soil issued at gm will be slightly less than 300k, despite Beanstalk only needing 100k Beans to be bought to return to peg. Before Multi Flow, this was necessary for sufficient manipulation resistance.

In general, Beanstalk does not need to be particularly aggressive when issuing Soil—it does not want to issue debt if it doesn't have to.

Thus, using the inter-block MEV manipulation resistant instantaneous reserves in Multi Flow to calculate deltaB below peg is ideal.

But there is an exceptional case.

As the above example, -300K deltaB for the first 58 minutes.
At the 58th minute, a farmer buys and sows 400k Beans(instead of 200K).
During gm, twaDeltaB will be around -300k as the recent change won't affect twa much. And instDeltaB will be a positive vaulue: 100k.
In this case, the protocol's intention is not to mint new Soil at all as it doesn't want to issue debt if possible.
But with the implementation, Math.min(uint256(-twaDeltaB), uint256(-instDeltaB)) will be 300k as uint256(-instDeltaB) = uint256(-100k) = 2^256 - 100k.
So it will issue 300k Soil unexpectedly.

Impact

setSoilBelowPeg() might issue more Soil than intended for some cases.

Tools Used

Manual Review

Recommendations

setSoilBelowPeg() shouldn't issue Soil if instDeltaB is positive already.

Updates

Lead Judging Commences

giovannidisiena Lead Judge about 1 year ago

Submission Judgement Published

Invalidated

Reason: Incorrect statement

giovannidisiena Lead Judge

about 1 year ago

giovannidisiena Lead Judge about 1 year ago

Submission Judgement Published

Validated

Assigned finding tags:

Unintended soil issuance below peg

Prize pool breakdown

Total prize

21,000 USDC

nSLOC

1,104

19 USDC / LOC

High Medium

17,900 USDC

Low

1,000 USDC

Judges

2,100 USDC

Live

The contest is live. Earn rewards by submitting a finding.

Judging

Submissions are being carefully reviewed by our judges.

View all submissions

Appeals

This is your time to appeal against judgements on your submissions.

Appeals Review

Appeals are being carefully reviewed by our judges.

Rewards Distribution

The contest is complete and the rewards are being distributed.

View results

Support

FAQs

Can't find an answer? Chat with us on Discord, Twitter or Linkedin.