DeFiHardhat
21,000 USDC
View results
Submission Details
Severity: low
Invalid

Potential Overflow in `getPenalizedUnderlying` Function

Summary

The getPenalizedUnderlying function has an issue where the calculation of redeemable Ripe Tokens can exceed the actual underlying amount available. This occurs due to the use of a ratio that can "potentially" exceed 1 when s.recapitalized is greater than totalUsdNeeded.

Impact

If not addressed, this issue could lead to scenarios where users are able to redeem more Ripe Tokens than should logically be available

Proof of Concept

First let's look at the getPenalizedUnderlying function:

https://github.com/Cyfrin/2024-05-Beanstalk-3/blob/662d26f12ee219ee92dc485c06e01a4cb5ee8dfb/protocol/contracts/libraries/LibUnripe.sol#L166-L167

uint256 underlyingAmount = s.u[unripeToken].balanceOfUnderlying;
redeem = underlyingAmount.mul(s.recapitalized).div(totalUsdNeeded).mul(amount).div(supply);

Here, redeem can potentially exceed underlyingAmount if s.recapitalized is greater than totalUsdNeeded. The current safeguard:

https://github.com/Cyfrin/2024-05-Beanstalk-3/blob/662d26f12ee219ee92dc485c06e01a4cb5ee8dfb/protocol/contracts/libraries/LibUnripe.sol#L170

if(redeem > underlyingAmount) redeem = underlyingAmount;

acts as a temporary fix but does not address the root cause of the issue. The formula should inherently ensure that redeem does not exceed underlyingAmount without requiring a conditional check.

Tools Used

Manual review

Recommended Mitigation Steps:

A more appropriate would involve adjusting the calculation to ensure that the ratio of s.recapitalized to totalUsdNeeded does not exceed 1 before applying it to the underlyingAmount. This can be done by capping the ratio at 1:

uint256 recapRatio = s.recapitalized > totalUsdNeeded ? totalUsdNeeded : s.recapitalized;
redeem = underlyingAmount.mul(recapRatio).div(totalUsdNeeded).mul(amount).div(supply);

This adjustment ensures that the redeemable amount is always within logical bounds and reflects the actual recapitalization progress, preventing any potential overflow or logic errors in token redemption calculations.

Updates

Lead Judging Commences

giovannidisiena Lead Judge about 1 year ago
Submission Judgement Published
Invalidated
Reason: Incorrect statement

Support

FAQs

Can't find an answer? Chat with us on Discord, Twitter or Linkedin.