Beanstalk Part 3

Beanstalk

DeFiHardhat

21,000 USDC

View results

Previous Next

Submission Details

Severity: low

Invalid

Potential System Halt Due to Unlimited Stems

hunter_w3b

Summary

In the convert function potential system halt due to processing an excessive number of zero value stems.

Vulnerability Details

The convert function can process an unlimited number of stems due to the lack of input validation. If a user sends an excessive number of zero value stems, specifically the maximum value for int96, it can cause the system to halt. This is because the loop in the function _withdrawTokens will attempt to process more stems than the system can handle.

function convert(

bytes calldata convertData,

int96[] memory stems,

uint256[] memory amounts

)

external

payable

nonReentrant

returns (int96 toStem, uint256 fromAmount, uint256 toAmount, uint256 fromBdv, uint256 toBdv)

{

uint256 grownStalk;

LibConvert.convertParams memory cp = LibConvert.convert(convertData);

if (cp.decreaseBDV) {require(stems.length == 1 && amounts.length == 1, "Convert: DecreaseBDV only supports updating one deposit.");}

require(cp.fromAmount > 0, "Convert: From amount is 0.");

// Replace account with msg.sender if no account is specified.

if(cp.account == address(0)) cp.account = msg.sender;

LibSilo._mow(cp.account, cp.fromToken);

// If the fromToken and toToken are different, mow the toToken as well.

if (cp.fromToken != cp.toToken) LibSilo._mow(cp.account, cp.toToken);

// Withdraw the tokens from the deposit.

(grownStalk, fromBdv) = _withdrawTokens(

cp.fromToken,

stems,

amounts,

cp.fromAmount,

cp.account

);

// Calculate the bdv of the new deposit.

uint256 newBdv = LibTokenSilo.beanDenominatedValue(cp.toToken, cp.toAmount);

// If `decreaseBDV` flag is not enabled, set toBDV to the max of the two bdvs.

toBdv = (newBdv > fromBdv || cp.decreaseBDV) ? newBdv : fromBdv;

toStem = _depositTokensForConvert(cp.toToken, cp.toAmount, toBdv, grownStalk, cp.account);

// Retrieve the rest of return parameters from the convert struct.

toAmount = cp.toAmount;

fromAmount = cp.fromAmount;

emit Convert(cp.account, cp.fromToken, cp.toToken, cp.fromAmount, cp.toAmount);

}

function _withdrawTokens if the value of germStem.germinatingStem is zero and the maximum array length of stems is exceeded or zero values, it will halt the system.

while ((i < stems.length) && (a.active.tokens < maxTokens)) {

// skip any stems that are germinating, due to the ability to

// circumvent the germination process.

if (germStem.germinatingStem <= stems[i]) {

i++;

continue;

}

Impact

System Halt: If the value of germStem.germinatingStem is zero and the maximum array length of stems is exceeded, it will halt the system.

Tools Used

Manual Review

Recommendations

Validate Input Lengths:
- Ensure the stems array length is within acceptable limits to prevent system overload.

Updates

Lead Judging Commences

giovannidisiena Lead Judge over 1 year ago

Submission Judgement Published

Invalidated

Reason: Incorrect statement

Prize pool breakdown

Total prize

21,000 USDC

nSLOC

1,104

19 USDC / LOC

High Medium

17,900 USDC

Low

1,000 USDC

Judges

2,100 USDC

Live

The contest is live. Earn rewards by submitting a finding.

Judging

Submissions are being carefully reviewed by our judges.

View all submissions

Appeals

This is your time to appeal against judgements on your submissions.

Appeals Review

Appeals are being carefully reviewed by our judges.

Rewards Distribution

The contest is complete and the rewards are being distributed.

View results

Support

FAQs

Can't find an answer? Chat with us on Discord, Twitter or Linkedin.