Beanstalk Part 3

Beanstalk

DeFiHardhat

21,000 USDC

View results

Previous Next

Submission Details

Severity: medium

Invalid

Converting curve lp to beans will be completely impossible if curve pool gets killed

inh3l

Summary

ConvertKind.CURVE_LP_TO_BEANS uses curve's remove_liquidity_one_coin function for its conversion which becomes unavailable if the curve pool is killed. This will cause a complete denial of service for users trying to perform the conversion.

Vulnerability Details

When the convert function is called in ConvertFaucet.sol, passing in the CURVE_LP_TO_BEANS data, the convert is called in LibConvert.sol.

Since the user is converting curve lp to beans, convertLPToBeans is called in LibCurveConvert.sol.

function convert(bytes calldata convertData)

external

returns (convertParams memory cp)

{

LibConvertData.ConvertKind kind = convertData.convertKind();

...

} else if (kind == LibConvertData.ConvertKind.CURVE_LP_TO_BEANS) {

(cp.toToken, cp.fromToken, cp.toAmount, cp.fromAmount) = LibCurveConvert

.convertLPToBeans(convertData);

...

}

The function then tries removing the curve lp tokens towards peg.

function convertLPToBeans(bytes memory convertData)

internal

returns (

address tokenOut,

address tokenIn,

uint256 amountOut,

uint256 amountIn

)

{

...

(amountOut, amountIn) = curveRemoveLPTowardsPeg(lp, minBeans, pool);

...

}

The function queries the curveRemoveLPTowardsPeg trying to remove beans from the curve pool via the remove_liquidity_one_coin function.

function curveRemoveLPTowardsPeg(

uint256 lp,

uint256 minBeans,

address pool

) internal returns (uint256 beans, uint256 lpConverted) {

...

beans = ICurvePool(pool).remove_liquidity_one_coin(

lpConverted,

minBeans

);

}

The remove_liquidity_one_coin function looks like this, reverting if the pool is killed.

def remove_liquidity_one_coin(

_token_amount: uint256,

i: int128,

_min_amount: uint256

) -> uint256:

...

assert not self.is_killed # dev: is killed

...

This will cause the convert function to revert.

Impact

Complete inability to convert curve lp tokens to beans.

Tools Used

Manual review

Updates

Lead Judging Commences

giovannidisiena Lead Judge over 1 year ago

Submission Judgement Published

Invalidated

Reason: Incorrect statement

Prize pool breakdown

Total prize

21,000 USDC

nSLOC

1,104

19 USDC / LOC

High Medium

17,900 USDC

Low

1,000 USDC

Judges

2,100 USDC

Live

The contest is live. Earn rewards by submitting a finding.

Judging

Submissions are being carefully reviewed by our judges.

View all submissions

Appeals

This is your time to appeal against judgements on your submissions.

Appeals Review

Appeals are being carefully reviewed by our judges.

Rewards Distribution

The contest is complete and the rewards are being distributed.

View results

Support

FAQs

Can't find an answer? Chat with us on Discord, Twitter or Linkedin.