Beanstalk Part 3
Beanstalk
DeFiHardhat
21,000 USDC
View results
Previous Next
Submission Details
Severity: medium
Invalid

Recapitalization issue on Underlying Token Switch and Decrement

rhaydden

Summary

The switchUnderlyingToken function and the decrementUnderlying function in the LibUnripe.sol library dont properly account for changes in the dollar value of the underlying tokens when performing their respective operations. This can possibly lead to inaccuracies in the recapitalization state and potentially result in financial losses for users.

Vulnerability details

The switchUnderlyingToken function allows changing the underlying token associated with an Unripe Token without adjusting the s.recapitalized state variable. This can cause inconsistencies if there is a valuation difference between the old and new underlying tokens.

https://github.com/Cyfrin/2024-05-Beanstalk-3/blob/662d26f12ee219ee92dc485c06e01a4cb5ee8dfb/protocol/contracts/beanstalk/barn/UnripeFacet.sol#L347-L354

function switchUnderlyingToken(
address unripeToken,
address newUnderlyingToken
) external payable {
LibDiamond.enforceIsContractOwner();
require(s.u[unripeToken].balanceOfUnderlying == 0, "Unripe: Underlying balance > 0");
LibUnripe.switchUnderlyingToken(unripeToken, newUnderlyingToken);
}

Similarly, the decrementUnderlying function in the LibUnripe.sol library reduces the balanceOfUnderlying for a given Unripe Token without adjusting the recapitalized state accordingly. This can lead to issues in the recapitalization percentage calculations, especially when assets are removed, as it might not reflect the actual dollar value of the assets after the operation.

https://github.com/Cyfrin/2024-05-Beanstalk-3/blob/662d26f12ee219ee92dc485c06e01a4cb5ee8dfb/protocol/contracts/libraries/LibUnripe.sol#L63-L67

function decrementUnderlying(address token, uint256 amount) internal {
AppStorage storage s = LibAppStorage.diamondStorage();
s.u[token].balanceOfUnderlying = s.u[token].balanceOfUnderlying.sub(amount);
emit ChangeUnderlying(token, -int256(amount));
}

As seen inn both cases, the lack of proper accounting for the dollar value changes of the underlying tokens can result in an inaccurate representation of the recapitalization state. This is particularly concerning when there are significant fluctuations in the market value of the tokens involved.

Impact

Users may face losses due to an inaccurate representation of recapitalized funds. The true value of their holdings may not be reflected correctly. Also the calculation of recapitalization percentages, token conversions, and reward distributions cam be compromised.

Tools Used

Manual review

Recommended Mitigation Steps:

To mitigate these vulnerabilities, the following steps are recommended:

I'd recommend implementing a mechanism in the switchUnderlyingToken function that updates the s.recapitalized state variable based on the market value of the new underlying token at the time of switching. This ensures that the recapitalization state accurately reflects the true value of the underlying assets after the migration or switch.
Also the decrementUnderlying should adjust the recapitalized state whenever assets are removed. The adjustment should reflect the actual dollar value of the assets being removed, possibly using an oracle or other reliable price feed to determine the current market value.

Updates

Lead Judging Commences

giovannidisiena Lead Judge about 1 year ago
Submission Judgement Published
Invalidated
Reason: Incorrect statement

Support

FAQs

Can't find an answer? Chat with us on Discord, Twitter or Linkedin.