Beanstalk Part 3

Beanstalk

DeFiHardhat

21,000 USDC

View results

Previous Next

Submission Details

Severity: high

Invalid

Incorrect Conversion Calculations occur cause of Inaccurate of totalSupply Data

baouch21

Summary

The totalSupply data is used directly in conversion calculations without validation. If this data is manipulated or incorrect, it affects the conversion rates, leading to financial exploitation.

Vulnerability Details

the conversion of Unripe Tokens to Ripe Tokens is done using the chop function and the totalSupply of the Unripe Token is passed to this function to determine the conversion rate, the totalSupply value is not validated for accuracy before being used in calculations and this makes the contract susceptible to manipulation where an incorrect totalSupply could be fed into the function, leading to incorrect conversion rates.
the vulnerability is arise where the totalSupply is used for conversion calculations in LibChop.chop here is the vulnerable line https://github.com/Cyfrin/2024-05-Beanstalk-3/blob/662d26f12ee219ee92dc485c06e01a4cb5ee8dfb/protocol/contracts/libraries/LibChop.sol#L33 :

underlyingAmount = LibUnripe.getPenalizedUnderlying(unripeToken, amount, supply);

This is affects the calculation of underlyingAmount, which is the amount of Ripe Tokens received after the conversion.

here is the convertUnripeToRipe Function https://github.com/Cyfrin/2024-05-Beanstalk-3/blob/662d26f12ee219ee92dc485c06e01a4cb5ee8dfb/protocol/contracts/libraries/Convert/LibChopConvert.sol#L26C3-L46C6 :

function convertUnripeToRipe(bytes memory convertData)

internal

returns (

address tokenOut,

address tokenIn,

uint256 amountOut,

uint256 amountIn

)

{

// Decode convertdata

(amountIn, tokenIn) = convertData.lambdaConvert();

(tokenOut, amountOut) = LibChop.chop(

tokenIn,

amountIn,

IBean(tokenIn).totalSupply() <---- vulnerable line

);

IBean(tokenIn).burn(amountIn);

}

Here is a scenario show the issue that i test with :

let's say that the Actual totalSupply of Unripe Tokens: 1,000,000.
User wants to convert: 10,000 Unripe Tokens.
And Penalized rate: 0.8 (80%).
As Expected Calculation is 10,000×0.8=8,00010,000×0.8=8,000 Ripe Tokens.
And Manipulated Supply is totalSupply: 500,000.
as result incorrect conversion: 10,000×(500,000/1,000,000)×0.8=16,000 Ripe Tokens and this show thatuser receives more Ripe Tokens than they should

Impact

If the totalSupply data is inaccurate, it leads to incorrect calculations when converting Unripe Tokens to Ripe Tokens, and this discrepancy can result in users receiving more or fewer tokens than they should, causing financial loss

Tools Used

manual review

Recommendations

need to ensure that the totalSupply data is accurate and consistent before performing conversions

Updates

Lead Judging Commences

giovannidisiena Lead Judge about 1 year ago

Submission Judgement Published

Invalidated

Reason: Incorrect statement

Prize pool breakdown

Total prize

21,000 USDC

nSLOC

1,104

19 USDC / LOC

High Medium

17,900 USDC

Low

1,000 USDC

Judges

2,100 USDC

Live

The contest is live. Earn rewards by submitting a finding.

Judging

Submissions are being carefully reviewed by our judges.

View all submissions

Appeals

This is your time to appeal against judgements on your submissions.

Appeals Review

Appeals are being carefully reviewed by our judges.

Rewards Distribution

The contest is complete and the rewards are being distributed.

View results

Support

FAQs

Can't find an answer? Chat with us on Discord, Twitter or Linkedin.