Integer Overflow Vulnerability in WellPrice.sol Contract
Summary
The WellPrice.sol contract in the Beanstalk project may contain an integer overflow vulnerability in the getConstantProductWell function. This error occurs when calculating the liquidity of a well, which can lead to inaccurate results and cause unintended consequences.
Vulnerability Details
The getConstantProductWell function in WellPrice.sol performs the following calculation to compute the liquidity of a well:
Where:
pool.balances[beanIndex] is the balance of Bean tokens in the well.
pool.price is the price of Bean in the well.
PRICE_PRECISION is a constant to adjust the precision of the price (1e6).
If the values of pool.balances[beanIndex] and pool.price are large enough, the result of the multiplication may exceed the maximum value of the uint256 data type (2^256 - 1), leading to an integer overflow. This will cause the pool.liquidity value to be inaccurate, potentially 0 or a very small value.
Impact
The pool.liquidity value is used to calculate the weighted average price of Bean in the BeanstalkPrice.sol contract. If pool.liquidity is inaccurate, the final Bean price will also be inaccurate.
Tools Used
Manual Code Review
Recommendations
use the SafeMath library (or similar) to perform safer arithmetic operations, or to use the mulDiv function from the PRBMath library:
Prize pool breakdown
Live
The contest is live. Earn rewards by submitting a finding.
Appeals
This is your time to appeal against judgements on your submissions.
Appeals Review
Appeals are being carefully reviewed by our judges.