Beanstalk Part 3

Beanstalk

DeFiHardhat

21,000 USDC

View results

Previous Next

Submission Details

Severity: low

Invalid

Missing Zero Address Check and `getWhitelistedWellLpTokens` in `LibWellMinting::capture` function

hunter_w3b

Summary

The capture function does not check for zero address or verify if the provided well address is a whitelisted LP token before calling initializeOracle. This can lead to reverts in the initializeOracle function when well is not a valid or whitelisted address.

Vulnerability Details

The capture function does not validate if the well address is non-zero before proceeding to call initializeOracle.

If a zero address or not a White listed Well Lp Tokens passed, it can cause the transaction to revert.

function capture(

address well

) external returns (int256 deltaB) {

bytes memory lastSnapshot = LibAppStorage

.diamondStorage()

.wellOracleSnapshots[well];

// If the length of the stored Snapshot for a given Well is 0,

// then the Oracle is not initialized.

if (lastSnapshot.length > 0) {

deltaB = updateOracle(well, lastSnapshot);

} else {

initializeOracle(well);

}

deltaB = LibMinting.checkForMaxDeltaB(deltaB);

}

The initializeOracle function attempts to read cumulative reserves from the well address without ensuring it is valid. If well is a zero address or not part of the whitelisted tokens, IWell(well).pumps() will revert.

function initializeOracle(address well) internal {

AppStorage storage s = LibAppStorage.diamondStorage();

// If pump has not been initialized for `well`, `readCumulativeReserves` will revert.

// Need to handle failure gracefully, so Sunrise does not revert.

@>> Call[] memory pumps = IWell(well).pumps(); // revert happening before try/catch

try ICumulativePump(pumps[0].target).readCumulativeReserves(

well,

pumps[0].data

) returns (bytes memory lastSnapshot) {

s.wellOracleSnapshots[well] = lastSnapshot;

emit WellOracle(s.season.current, well, 0, lastSnapshot);

} catch {

emit WellOracle(s.season.current, well, 0, new bytes(0));

}

Impact

   // Need to handle failure gracefully, so Sunrise does not revert.

As Sunrise must not revert in any case but this is not handled, and the sunrise revert is happening before try/catch.

Tools Used

Manual Review

Recommendations

function capture(

address well

) external returns (int256 deltaB) {

bytes memory lastSnapshot = LibAppStorage.diamondStorage().wellOracleSnapshots[well];

+ address[] memory tokens = LibWhitelistedTokens.getWhitelistedWellLpTokens();

+ for (uint256 i = 0; i < tokens.length; i++) {

+ if (well == token[i]){

+ address _well = token[i]; }

+ }

if (lastSnapshot.length > 0) {

- deltaB = updateOracle(well, lastSnapshot);

+ deltaB = updateOracle(_well, lastSnapshot);

} else {

- initializeOracle(well);

+ initializeOracle(_well);

}

deltaB = LibMinting.checkForMaxDeltaB(deltaB);

}

Updates

Lead Judging Commences

giovannidisiena Lead Judge about 1 year ago

Submission Judgement Published

Invalidated

Reason: Incorrect statement

Prize pool breakdown

Total prize

21,000 USDC

nSLOC

1,104

19 USDC / LOC

High Medium

17,900 USDC

Low

1,000 USDC

Judges

2,100 USDC

Live

The contest is live. Earn rewards by submitting a finding.

Judging

Submissions are being carefully reviewed by our judges.

View all submissions

Appeals

This is your time to appeal against judgements on your submissions.

Appeals Review

Appeals are being carefully reviewed by our judges.

Rewards Distribution

The contest is complete and the rewards are being distributed.

View results

Support

FAQs

Can't find an answer? Chat with us on Discord, Twitter or Linkedin.