Beanstalk: The Finale

Beanstalk

DeFiHardhatFoundry

250,000 USDC

View results

Previous Next

Submission Details

Severity: low

Invalid

L2 - Protocol does not support externally owned well tokens migration

holydevoti0n

Summary

Beanstalk provides two kinds of user balance:

External
Internal

For the L2 migration, the protocol is migrating internal balances through the ReseedInternalBalances and for external assets, there is only the migration for Beans.

Users that own Well external assets like BEAN_WETH or BEAN_CURVE3Pool have no option to migrate those assets to the L2.

Vulnerability Details

// @audit only support Beans migration

function recieveL1Beans(address reciever, uint256 amount) external nonReentrant {

// verify msg.sender is the cross-chain messenger address, and

// the xDomainMessageSender is the L1 Beanstalk contract.

require(

msg.sender == address(BRIDGE) &&

IL2Messenger(BRIDGE).xDomainMessageSender() == L1BEANSTALK

);

s.sys.migration.migratedL1Beans += amount;

require(

EXTERNAL_L1_BEANS >= s.sys.migration.migratedL1Beans,

"L2Migration: exceeds maximum migrated"

);

C.bean().mint(reciever, amount);

}

Impact

Users with externally owned LP assets will not be able to move their assets through the protocol.
If users opt to do it manually, they will have to lose money with gas fees to: remove the liquidity from Basin, use a bridge service for both assets/swap them into one, and then finally migrate it to L2 using an external service and only then converting those assets back to WellLP again on L2.

Tools Used

Manual Review

Recommendations

Provide also a migration for externally owned Well LP through the L2MigrationFacet and L1ReceiverFacet exactly as it is done for Beans. Burning the assets on L1 and minting them on L2.

This way users can safely and with one step migrate their LP assets directly to L2.

Updates

Lead Judging Commences

inallhonesty Lead Judge 12 months ago

Submission Judgement Published

Invalidated

Reason: Design choice

Prize pool breakdown

Total prize

250,000 USDC

nSLOC

12,285

20 USDC / LOC

High Medium

220,000 USDC

Low

10,000 USDC

Judges

20,000 USDC

Live

The contest is live. Earn rewards by submitting a finding.

Judging

Submissions are being carefully reviewed by our judges.

View all submissions

Appeals

This is your time to appeal against judgements on your submissions.

Appeals Review

Appeals are being carefully reviewed by our judges.

Rewards Distribution

The contest is complete and the rewards are being distributed.

View results

Support

FAQs

Can't find an answer? Chat with us on Discord, Twitter or Linkedin.