Beanstalk Part 3

Beanstalk

DeFiHardhat

21,000 USDC

View results

Previous Next

Submission Details

Severity: medium

Invalid

Any User can prevent the contract owner from switching the underlying token

hunter_w3b

Summary

Where any user can prevent the contract owner from switching the underlying token by sending a small amount of the token to increase its balance. This exploit hinges on the fact that the switchUnderlyingToken function has a require statement that the balance of the underlying token must be zero. As long as this balance is non-zero, the function will revert, effectively locking the ability to switch.

Vulnerability Details

This function checks if the balance of the underlying token is zero before allowing the switch. If any user can increment this balance, they can block this operation.

function switchUnderlyingToken(

address unripeToken,

address newUnderlyingToken

) external payable {

LibDiamond.enforceIsContractOwner();

require(s.u[unripeToken].balanceOfUnderlying == 0, "Unripe: Underlying balance > 0");

LibUnripe.switchUnderlyingToken(unripeToken, newUnderlyingToken);

}

Users can increment the balanceOfUnderlying through the following function, which can be called through other functions.

function addUnderlying(address token, uint256 underlying) internal {

AppStorage storage s = LibAppStorage.diamondStorage();

if (token == C.UNRIPE_LP) {

uint256 recapped = underlying.mul(s.recapitalized).div(

s.u[C.UNRIPE_LP].balanceOfUnderlying

);

s.recapitalized = s.recapitalized.add(recapped);

}

incrementUnderlying(token, underlying);

}

function incrementUnderlying(address token, uint256 amount) internal {

AppStorage storage s = LibAppStorage.diamondStorage();

s.u[token].balanceOfUnderlying = s.u[token].balanceOfUnderlying.add(amount);

emit ChangeUnderlying(token, int256(amount));

}

Minting or Adding Tokens: Functions like mintFertilizer or conversion functions (e.g., convertLPToBeans, convertBeansToLP) eventually call incrementUnderlying.
Incrementing Balance: By calling these functions, anyone can increase the balance of the underlying tokens.
Switching Prevention: Once the balance is incremented, the switchUnderlyingToken function will revert due to the non-zero balance requirement.

Impact

Allows any user to prevent the contract owner from switching the underlying token by sending a small amount of the token to increase its balance. This effectively locks the contract's ability to switch tokens, potentially causing financial or operational disruption.

Tools Used

Manual Review

Recommendations

Instead of checking if the balance is zero, implement a different logic to allow the switching of tokens.

Updates

Lead Judging Commences

giovannidisiena Lead Judge about 1 year ago

Submission Judgement Published

Invalidated

Reason: Incorrect statement

hunter_w3b Submitter

about 1 year ago

giovannidisiena Lead Judge

about 1 year ago

giovannidisiena Lead Judge about 1 year ago

Submission Judgement Published

Invalidated

Reason: Incorrect statement

Prize pool breakdown

Total prize

21,000 USDC

nSLOC

1,104

19 USDC / LOC

High Medium

17,900 USDC

Low

1,000 USDC

Judges

2,100 USDC

Live

The contest is live. Earn rewards by submitting a finding.

Judging

Submissions are being carefully reviewed by our judges.

View all submissions

Appeals

This is your time to appeal against judgements on your submissions.

Appeals Review

Appeals are being carefully reviewed by our judges.

Rewards Distribution

The contest is complete and the rewards are being distributed.

View results

Support

FAQs

Can't find an answer? Chat with us on Discord, Twitter or Linkedin.