Grown Stalk is incorrectly calculated in ReseedSilo
Summary
ReseedSilo migrates Silo deposits. It calculates stalk associated with deposits' owner by combining 2 types of Stalk: reward Stalk and Stalk issued during deposit.
Problem is that during reward Stalk calculation it overestimates actual amount by 1e6 times.
Vulnerability Details
Here you can see in ReseedSilo it multiplies stem delta and BDV:
https://github.com/Cyfrin/2024-05-beanstalk-the-finale/blob/df2dd129a878d16d4adc75049179ac0029d9a96b/protocol/contracts/beanstalk/init/reseed/L2/ReseedSilo.sol#L132
However stem already represents Stalk amount issued per BDV, i.e. per 1e6 BDV. For example if stem delta is 5.4e6 and BDV is 10e6, it should calculate 54e6 Stalk.
You can find correct implementation in old part of Beanstalk:
https://github.com/Cyfrin/2024-05-beanstalk-the-finale/blob/df2dd129a878d16d4adc75049179ac0029d9a96b/protocol/contracts/libraries/Silo/LibSilo.sol#L650-L669
Impact
ReseedSilo overestimates migrated Stalk by 1e6 times. It means new deposits will give too low Stalk compared to migrated, it completely breaks governance because Stalk is governance token.
Additionally migrated deposits will steal all the Beans from new depositors distributed to Silo at the start of the season
Tools Used
Manual Review
Recommendations
Lead Judging Commences
L2ContractMigrationFacet migrates incorrect amount of Stalk should be divided by 1e6
Appeal created
ReseedSilo migrates incorrect amount of Stalk should be divided by 1e6
ReseedSilo migrates incorrect amount of Stalk should be divided by 1e6
Prize pool breakdown
Live
The contest is live. Earn rewards by submitting a finding.
Appeals
This is your time to appeal against judgements on your submissions.
Appeals Review
Appeals are being carefully reviewed by our judges.