Beanstalk Part 3

Beanstalk

DeFiHardhat

21,000 USDC

View results

Previous Next

Submission Details

Severity: medium

Invalid

Oracle Data Manipulation in the Sun Contract

baouch21

Summary

The bug arise from the manipulation of oracle data used in the contract, the functions
rewardToFertilizer and setSoilBelowPeg rely on the deltaB value, which can be manipulated through the oracle, and this manipulation can lead to incorrect calculations for fertilizer rewards and soil adjustments, causing significant market imbalances

Vulnerability Details

The contract relies on oracle data to adjust soil issuance and distribute Beans, so Manipulation of this oracle data can lead to incorrect adjustments and distributions, causing market imbalances such as over-issuance or under-issuance of Beans and this can affect the value of Beans and overall market stability here is the vulnerable lines :

In rewardToFertilizer Function:

uint256 maxNewFertilized = amount.div(FERTILIZER_DENOMINATOR);

Here it’s calculates the maximum new Beans that can be fertilized. If the amount is manipulated via oracle data, this calculation will be incorrect.
here the Calculation of newBpf

uint256 newBpf = maxNewFertilized.div(s.activeFertilizer);

on the maxNewFertilized value. Any incorrect calculation will propagate here, affecting the Beans per Fertilizer.

while (newTotalBpf >= firstEndBpf) {

And this loop is relies on the value derived from oracle data.

in the setSoilBelowPeg Function:
Here the Calculation of instDeltaB

int256 instDeltaB;

address[] memory tokens = LibWhitelistedTokens.getWhitelistedWellLpTokens();

for (uint256 i = 0; i < tokens.length; i++) {

int256 wellInstDeltaB = LibWellMinting.instantaneousDeltaB(tokens[i]);

instDeltaB = instDeltaB.add(wellInstDeltaB);

}

and here is the usage of Oracle Data in LibWellMinting Library :

https://github.com/Cyfrin/2024-05-Beanstalk-3/blob/662d26f12ee219ee92dc485c06e01a4cb5ee8dfb/protocol/contracts/libraries/Minting/LibWellMinting.sol#L231

try IInstantaneousPump(pumps[0].target).readInstantaneousReserves(well,pumps[0].data)

returns (uint[] memory instReserves) {

// well, reserves, snapshot, lookback

(int256 deltaB, , ,) = getDeltaBInfoFromWell(well, instReserves, new bytes(0) , 0);

return (deltaB);

} catch {

return 0;

}

Impact

Incorrect adjustments to Soil and Bean minting can lead to market imbalances

Tools Used

Manual review

Recommendations

Need to add validation and multiple data sources for the oracle data to mitigate the risk of manipulation

Updates

Lead Judging Commences

giovannidisiena Lead Judge about 1 year ago

Submission Judgement Published

Invalidated

Reason: Too generic

Prize pool breakdown

Total prize

21,000 USDC

nSLOC

1,104

19 USDC / LOC

High Medium

17,900 USDC

Low

1,000 USDC

Judges

2,100 USDC

Live

The contest is live. Earn rewards by submitting a finding.

Judging

Submissions are being carefully reviewed by our judges.

View all submissions

Appeals

This is your time to appeal against judgements on your submissions.

Appeals Review

Appeals are being carefully reviewed by our judges.

Rewards Distribution

The contest is complete and the rewards are being distributed.

View results

Support

FAQs

Can't find an answer? Chat with us on Discord, Twitter or Linkedin.