Beanstalk Part 3
Beanstalk
DeFiHardhat
21,000 USDC
View results
Previous Next
Submission Details
Severity: low
Invalid

Risk of DoS in `Sun::setSoilBelowPeg` due to expanding loop

n0kto

Description

Sun::setSoilBelowPeg is a crucial function that is invoked each season to peg Beans. However, it utilizes all the whitelisted well LP tokens. Currently, only one token is on this list, but more can be added in the future (hence the use of a loop). The addition process employs WhitelistFacet::whitelistToken and allows the owner to add new accepted Well tokens to the silo. The issue is that there's no check for the maximum number of tokens or maximum price in whitelistToken or setSoilBelowPeg. It will lead to denial of service for one of two reasons:

  • Too many token to handle: results in out of gas

  • The price for all tokens will overflow in the SafeAdd Librairy.

function setSoilBelowPeg(int256 twaDeltaB) internal {
// Calculate deltaB from instantaneous reserves of all whitelisted Wells.
int256 instDeltaB;
@> address[] memory tokens = LibWhitelistedTokens.getWhitelistedWellLpTokens();
@> for (uint256 i = 0; i < tokens.length; i++) {
int256 wellInstDeltaB = LibWellMinting.instantaneousDeltaB(tokens[i]);
@> instDeltaB = instDeltaB.add(wellInstDeltaB);
}
// Set new soil.
setSoil(Math.min(uint256(-twaDeltaB), uint256(-instDeltaB)));
}

Risk

Likelyhood: Very low

  • Only one token is currently present, and it could take several months/years before the bug manifests.

Impact: High

  • It leads to a denial of service for the entire pegging system of Beanstalk.

Recommended Mitigation

Implement a limit for whitelisted well tokens in the contract and check if adding all the prices won't cause a revert before adding a token.

Updates

Lead Judging Commences

giovannidisiena Lead Judge about 1 year ago
Submission Judgement Published
Invalidated
Reason: Non-acceptable severity

Support

FAQs

Can't find an answer? Chat with us on Discord, Twitter or Linkedin.