Beanstalk: The Finale

Beanstalk

DeFiHardhatFoundry

250,000 USDC

View results

Previous Next

Submission Details

Severity: medium

Invalid

`enrootDeposits` allows for losing `bdv` on individual deposits

deadrosesxyz

Summary

User might lose bdv on individual deposits when calling enrootDeposits

Vulnerability Details

The way enrootDeposit works is that if a user has a deposit in an unripe token and its bdv (Bean denominated value) has increased, the user can call the function and update the deposit to the current appropriate bdv

// remove Deposit and Redeposit with new BDV

uint256 ogBDV = LibTokenSilo.removeDepositFromAccount(

LibTractor._user(),

token,

stem,

amount

);

// Remove Deposit does not emit an event, while Add Deposit does.

emit RemoveDeposit(LibTractor._user(), token, stem, amount, ogBDV);

// Calculate the current BDV for `amount` of `token` and add a Deposit.

uint256 newBDV = LibTokenSilo.beanDenominatedValue(token, amount);

LibTokenSilo.addDepositToAccount(

LibTractor._user(),

token,

stem,

amount,

newBDV,

LibTokenSilo.Transfer.noEmitTransferSingle

); // emits AddDeposit event

// Calculate the difference in BDV. Reverts if `ogBDV > newBDV`.

deltaBDV = newBDV.sub(ogBDV);

The problem is that this invariant is not enforced for individual deposits when using enrootDeposits. When using enrootDeposits it's only looked that the total new bdv is larger than the old total bdv.

Meaning that if a user has had to equal deposits at bdv $1.00 and $1.20, they've called the function enrootDeposits when the actual bdv is $1.15, the transaction would succeed, although the user has lost bdv on their 2nd deposit (and it would've been more profitable for them if they had simply enrooted the first deposit only).

Since bdv is dynamic (based on an oracle's value) and a user's transaction might be stuck for a long time (e.g. due to set low gas), user could accidentally execute the transaction in suboptimal conditions, resulting in a loss.

Impact

Loss of bdv(and therefore stalk (governance power) and roots too)

Tools Used

Recommendations

Check that the bdv of each individual deposit is less than the current bdv

Updates

Lead Judging Commences

inallhonesty Lead Judge over 1 year ago

Submission Judgement Published

Invalidated

Reason: Incorrect statement

Appeal created

deadrosesxyz Submitter

over 1 year ago

giovannidisiena Auditor

about 1 year ago

inallhonesty Lead Judge about 1 year ago

Submission Judgement Published

Invalidated

Reason: Design choice

Prize pool breakdown

Total prize

250,000 USDC

nSLOC

12,285

20 USDC / LOC

High Medium

220,000 USDC

Low

10,000 USDC

Judges

20,000 USDC

Live

The contest is live. Earn rewards by submitting a finding.

Judging

Submissions are being carefully reviewed by our judges.

View all submissions

Appeals

This is your time to appeal against judgements on your submissions.

Appeals Review

Appeals are being carefully reviewed by our judges.

Rewards Distribution

The contest is complete and the rewards are being distributed.

View results

Support

FAQs

Can't find an answer? Chat with us on Discord, Twitter or Linkedin.