Beanstalk: The Finale

Beanstalk

DeFiHardhatFoundry

250,000 USDC

View results

Previous Next

Submission Details

Severity: low

Invalid

`LibEthUsdOracle` returns 0 when it should return the price from Chainlink.

holydevoti0n

Vulnerability Details

When the LibWellMintingfails to fetch the price from the reserves, the usdTokenPriceis set to 0. Let's consider for this case that the BEAN_ETH_WELL has been set to 0.

function setUsdTokenPriceForWell(address well, uint256[] memory ratios) internal {

AppStorage storage s = LibAppStorage.diamondStorage();

// If the reserves length is 0, then {LibWellMinting} failed to compute

// valid manipulation resistant reserves and thus the price is set to 0

// indicating that the oracle failed to compute a valid price this Season.

if (ratios.length == 0) {

@> s.sys.usdTokenPrice[well] = 0; // @audit oracle failed. price set to zero

} else {

(, uint256 j) = getNonBeanTokenAndIndexFromWell(well);

s.sys.usdTokenPrice[well] = ratios[j];

}

LibEthUsdOracle has a function getEthUsdPriceFromStorageIfSaved. This function will return 0for the case above. When in fact, it should get the current price from Chainlink.

function getEthUsdPriceFromStorageIfSaved() internal view returns (uint256) {

AppStorage storage s = LibAppStorage.diamondStorage();

uint256 priceInStorage = s.sys.usdTokenPrice[C.BEAN_ETH_WELL]; // @audit should use BEAN_WSTETH_WELL

@> if (priceInStorage == 1) { // @audit - returns 0 when oracle fails due to priceInStorage == 0.

return getEthUsdPrice();

}

return priceInStorage;

}

Impact

getEthUsdPriceFromStorageIfSaved will return the 0when it should return the price from Chainlink.

Tools Used

Manual Review

Recommendations

Consider the case of when Oracle fails to get the price from Chainlink.

function getEthUsdPriceFromStorageIfSaved() internal view returns (uint256) {

AppStorage storage s = LibAppStorage.diamondStorage();

uint256 priceInStorage = s.sys.usdTokenPrice[C.BEAN_ETH_WELL];

- if (priceInStorage == 1) {

+ if (priceInStorage <= 1) {

return getEthUsdPrice();

}

return priceInStorage;

}

Updates

Lead Judging Commences

inallhonesty Lead Judge over 1 year ago

Submission Judgement Published

Invalidated

Reason: Non-acceptable severity

Prize pool breakdown

Total prize

250,000 USDC

nSLOC

12,285

20 USDC / LOC

High Medium

220,000 USDC

Low

10,000 USDC

Judges

20,000 USDC

Live

The contest is live. Earn rewards by submitting a finding.

Judging

Submissions are being carefully reviewed by our judges.

View all submissions

Appeals

This is your time to appeal against judgements on your submissions.

Appeals Review

Appeals are being carefully reviewed by our judges.

Rewards Distribution

The contest is complete and the rewards are being distributed.

View results

Support

FAQs

Can't find an answer? Chat with us on Discord, Twitter or Linkedin.