Beanstalk Part 3
Beanstalk
DeFiHardhat
21,000 USDC
View results
Previous Next
Submission Details
Severity: medium
Invalid

Improper validation in ConvertFacet will cause that bdv is not actually decreased when newBdv > fromBdv

inh3l

Summary

The validation in the convert function to set toBdv during conversion is not entirely accurate as Bdv is always decreased if newBdv > fromBdv.

Vulnerability Details

Contrary to the comment and expected functionality of the Bdv is not decreased when the decreaseBDV is true and the newBdv is greater than fromBdv. This will lead to the incorrect data being used when tokens are being deposited for conversion, leading to inaccurate calculations down the line and potential loss of funds.

function convert(
bytes calldata convertData,
int96[] memory stems,
uint256[] memory amounts
)
...
require(cp.fromAmount > 0, "Convert: From amount is 0.");
...
// If `decreaseBDV` flag is not enabled, set toBDV to the max of the two bdvs.
toBdv = (newBdv > fromBdv || cp.decreaseBDV) ? newBdv : fromBdv;
toStem = _depositTokensForConvert(cp.toToken, cp.toAmount, toBdv, grownStalk, cp.account);
...
emit Convert(cp.account, cp.fromToken, cp.toToken, cp.fromAmount, cp.toAmount);
}

A short case study of the current implementation.

Case A Case B
newBdv 10 20
fromBdv 20 10
// If `decreaseBDV` flag is not enabled, set toBDV to the max of the two bdvs.
toBdv = (newBdv > fromBdv || cp.decreaseBDV) ? newBdv : fromBdv;

Case A Case B
decreaseBDV 10 20
!decreaseBDV 20 20

Impact

Whenever newBdv is greater than fromBdv, Bdv not decreased going against the intended functionality.

Tools Used

Manual review

Updates

Lead Judging Commences

giovannidisiena Lead Judge about 1 year ago
Submission Judgement Published
Invalidated
Reason: Incorrect statement

Support

FAQs

Can't find an answer? Chat with us on Discord, Twitter or Linkedin.