Beanstalk: The Finale

Beanstalk

DeFiHardhatFoundry

250,000 USDC

View results

Previous Next

Submission Details

Severity: low

Valid

The `LibWeth` hardcodes the `WETH` address which makes it incompatible on the to-deploy L2 chain

bauchibred

Summary

The LibWeth library hardcodes the WETH address, which makes all the wrapping/unwrapping functionality it entails to be unavailable/incompatible with the L2 chain where Beanstalk will be deployed.

Vulnerability Details

Take a look at https://github.com/Cyfrin/2024-05-beanstalk-the-finale/blob/8c8710df547f7d7c5dd82c5381eb6b34532e4484/protocol/contracts/libraries/Token/LibWeth.sol#L15-L37

library LibWeth {

address constant WETH = 0xC02aaA39b223FE8D0A0e5C4F27eAD9083C756Cc2;

function wrap(uint256 amount, LibTransfer.To mode) internal {

deposit(amount);

LibTransfer.sendToken(IERC20(WETH), amount, msg.sender, mode);

}

function unwrap(uint256 amount, LibTransfer.From mode) internal {

amount = LibTransfer.receiveToken(IERC20(WETH), amount, msg.sender, mode);

withdraw(amount);

(bool success, ) = msg.sender.call{value: amount}(new bytes(0));

require(success, "Weth: unwrap failed");

}

function deposit(uint256 amount) private {

IWETH(WETH).deposit{value: amount}();

}

function withdraw(uint256 amount) private {

IWETH(WETH).withdraw(amount);

}

This is the whole library that handles the wrapping and unwrapping Weth, issue however is that the WETH address has been hardcoded as 0xC02aaA39b223FE8D0A0e5C4F27eAD9083C756Cc2.

And with the Beanstalk the finale contest, The Beanstalk team hinted that the contracts are to be deployed on an L2, the votes for this has already been passed, and this snapshot shows how this would be done.

Problem however is that the 0xC02aaA39b223FE8D0A0e5C4F27eAD9083C756Cc2 is only sure as the WETH address on the EThereum mainnet if the contracts get deployed on an L2 that does not have the 0xC02aaA39b223FE8D0A0e5C4F27eAD9083C756Cc2 address as WETH, then all the functionalities of this contract are effectively DOS'd and unaccessible.

Impact

Complete DOS to thee functionality of wrapping and unwrapping WETH on the to-deploy L2 chain, would be key to note that in this case not only is the LibWeth affected, but all functionalities that query this, i.e the TokenFacers

Tools Used

Manual review

Recommendations

Consider not hardcoding 0xC02aaA39b223FE8D0A0e5C4F27eAD9083C756Cc2 as the WETH address, considering the protocol is to be deployed on multiple chains and then have the correct address be passed during deployment.

Updates

Lead Judging Commences

inallhonesty Lead Judge 12 months ago

Submission Judgement Published

Invalidated

Reason: Design choice

Assigned finding tags:

Hardcoded WETH/WSTETH/USDC/USDT won't be the same on L2's

Appeal created

bauchibred Submitter

12 months ago

inallhonesty Lead Judge

12 months ago

inallhonesty Lead Judge 11 months ago

Submission Judgement Published

Validated

Assigned finding tags:

Hardcoded WETH/WSTETH/USDC/USDT won't be the same on L2's

Prize pool breakdown

Total prize

250,000 USDC

nSLOC

12,285

20 USDC / LOC

High Medium

220,000 USDC

Low

10,000 USDC

Judges

20,000 USDC

Live

The contest is live. Earn rewards by submitting a finding.

Judging

Submissions are being carefully reviewed by our judges.

View all submissions

Appeals

This is your time to appeal against judgements on your submissions.

Appeals Review

Appeals are being carefully reviewed by our judges.

Rewards Distribution

The contest is complete and the rewards are being distributed.

View results

Support

FAQs

Can't find an answer? Chat with us on Discord, Twitter or Linkedin.