Beanstalk Part 3

Beanstalk

DeFiHardhat

21,000 USDC

View results

Previous Next

Submission Details

Severity: medium

Invalid

function `convert` don't limit config convert kind

twcctop

Summary

compare to previous version, we can config other people's bdv on the down side, in the mode of Anti-lambda Convert. The problem is that we seems don't
have a limit on the kind of the convert, which means anyone can change other people's bdv to any kind of convert, which is not what we want.

Vulnerability Details

According to the sponoser describe about Anti-Lambda Convert:

- Currently, bdv is an asynchronous to the current bdv of the asset.If a user deposited an LP token at a higher price than now, they currently retain the inflated bdv. This can lead to beanstalk overpaying in stalk/seeds for that certain deposit. An Anti-Lamda Convert is a convert type that allows people to update other people's bdv on the downside. In a pvp enivornment like the evm, you'd expect people to update large positions with a huge BDV. Anti-lamda Converts can only be done on a per-deposit basis, as the ability to merge deposits should not be allowed.

The porblem is , according to the code ,seems that convert type is not limited. Wwe can change other people's bdv, in other modes depite Anti-Lamda Convert, could canuse unexpected result.

function convert(

bytes calldata convertData,

int96[] memory stems,

uint256[] memory amounts

)

external

payable

nonReentrant

returns (int96 toStem, uint256 fromAmount, uint256 toAmount, uint256 fromBdv, uint256 toBdv)

{

uint256 grownStalk;

LibConvert.convertParams memory cp = LibConvert.convert(convertData);

if (cp.decreaseBDV) {require(stems.length == 1 && amounts.length == 1, "Convert: DecreaseBDV only supports updating one deposit.");}

require(cp.fromAmount > 0, "Convert: From amount is 0.");

// Replace account with msg.sender if no account is specified.

@> if(cp.account == address(0)) cp.account = msg.sender;

//claim

LibSilo._mow(cp.account, cp.fromToken);

// If the fromToken and toToken are different, mow the toToken as well.

if (cp.fromToken != cp.toToken) LibSilo._mow(cp.account, cp.toToken);

// Withdraw the tokens from the deposit.

(grownStalk, fromBdv) = _withdrawTokens(

cp.fromToken,

stems,

amounts,

cp.fromAmount,

cp.account

);

// Calculate the bdv of the new deposit.

uint256 newBdv = LibTokenSilo.beanDenominatedValue(cp.toToken, cp.toAmount);

// If `decreaseBDV` flag is not enabled, set toBDV to the max of the two bdvs.

@> toBdv = (newBdv > fromBdv || cp.decreaseBDV) ? newBdv : fromBdv;

toStem = _depositTokensForConvert(cp.toToken, cp.toAmount, toBdv, grownStalk, cp.account);

// Retrieve the rest of return parameters from the convert struct.

toAmount = cp.toAmount;

fromAmount = cp.fromAmount;

emit Convert(cp.account, cp.fromToken, cp.toToken, cp.fromAmount, cp.toAmount);

}

Impact

other type of convert can be used to change other people's bdv, which is not what we want,at least, not same as sponsor's description.

Tools Used

manual

Recommendation

Limit the convert type to Anti-Lamda Convert only if account is not msg.sender.

Updates

Lead Judging Commences

giovannidisiena Lead Judge about 1 year ago

Submission Judgement Published

Invalidated

Reason: Incorrect statement

Prize pool breakdown

Total prize

21,000 USDC

nSLOC

1,104

19 USDC / LOC

High Medium

17,900 USDC

Low

1,000 USDC

Judges

2,100 USDC

Live

The contest is live. Earn rewards by submitting a finding.

Judging

Submissions are being carefully reviewed by our judges.

View all submissions

Appeals

This is your time to appeal against judgements on your submissions.

Appeals Review

Appeals are being carefully reviewed by our judges.

Rewards Distribution

The contest is complete and the rewards are being distributed.

View results

Support

FAQs

Can't find an answer? Chat with us on Discord, Twitter or Linkedin.