Incorrect Calculation of Plots in `getNumStemsAndPlots`
Summary
The getNumStemsAndPlots function in MetadataImage.sol incorrectly calculates the number of plots to be displayed in the Beanstalk Silo Deposit NFT image. This miscalculation can lead to a visual discrepancy where the number of plots shown in the image is one more than the actual number of plots earned.
Vulnerability Details
The function getNumStemsAndPlots is responsible for calculating the number of stems and plots based on the grownStalkPerBDV value. The calculation for plots is as follows:
The issue lies in the unconditional addition of 1 to the result of numStems.div(16). This addition should only occur if there is a remainder after dividing numStems by 16. If numStems is perfectly divisible by 16, the current calculation will overestimate the number of plots by 1.
Impact
The impact of this vulnerability is primarily visual. The number of plots displayed in the Beanstalk Silo Deposit NFT image may be incorrect by one plot. This discrepancy could mislead users about the actual number of plots they have earned. However, it does not affect the underlying functionality or security of the contract, as the actual number of plots is correctly tracked elsewhere in the contract.
Tools Used
Manual code review
Recommendations
To fix this issue, modify the calculation of plots in the getNumStemsAndPlots function as follows:
This corrected calculation will ensure that the number of plots is accurately determined, preventing the visual discrepancy in the NFT image.
Lead Judging Commences
Informational/Gas
Invalid as per docs https://docs.codehawks.com/hawks-auditors/how-to-determine-a-finding-validity
`getNumStemsAndPlots` incorrectly adds one twice
Prize pool breakdown
Live
The contest is live. Earn rewards by submitting a finding.
Appeals
This is your time to appeal against judgements on your submissions.
Appeals Review
Appeals are being carefully reviewed by our judges.