DeFiHardhatFoundry
250,000 USDC
View results
Submission Details
Severity: low
Invalid

L2 - Protocol does not support externally owned well tokens migration

Summary

Beanstalk provides two kinds of user balance:

  • External

  • Internal

For the L2 migration, the protocol is migrating internal balances through the ReseedInternalBalances and for external assets, there is only the migration for Beans.

Users that own Well external assets like BEAN_WETH or BEAN_CURVE3Pool have no option to migrate those assets to the L2.

Vulnerability Details

// @audit only support Beans migration
function recieveL1Beans(address reciever, uint256 amount) external nonReentrant {
// verify msg.sender is the cross-chain messenger address, and
// the xDomainMessageSender is the L1 Beanstalk contract.
require(
msg.sender == address(BRIDGE) &&
IL2Messenger(BRIDGE).xDomainMessageSender() == L1BEANSTALK
);
s.sys.migration.migratedL1Beans += amount;
require(
EXTERNAL_L1_BEANS >= s.sys.migration.migratedL1Beans,
"L2Migration: exceeds maximum migrated"
);
C.bean().mint(reciever, amount);
}

Impact

  • Users with externally owned LP assets will not be able to move their assets through the protocol.

  • If users opt to do it manually, they will have to lose money with gas fees to: remove the liquidity from Basin, use a bridge service for both assets/swap them into one, and then finally migrate it to L2 using an external service and only then converting those assets back to WellLP again on L2.

Tools Used

Manual Review

Recommendations

Provide also a migration for externally owned Well LP through the L2MigrationFacet and L1ReceiverFacet exactly as it is done for Beans. Burning the assets on L1 and minting them on L2.

This way users can safely and with one step migrate their LP assets directly to L2.

Updates

Lead Judging Commences

inallhonesty Lead Judge 11 months ago
Submission Judgement Published
Invalidated
Reason: Design choice

Support

FAQs

Can't find an answer? Chat with us on Discord, Twitter or Linkedin.