Submission Details
Severity:
SeasonGettersFacet returns the wrong totalDeltaB
Vulnerability Details
According to the docs the totalDeltaB should: Returns the total Delta B across all whitelisted minting liquidity Wells.
But currently, it returns the deltaB from the C.BEAN_ETH_WELL pool.
/**
* @notice Returns the total Delta B across all whitelisted minting liquidity Wells.
*/
function totalDeltaB() external view returns (int256 deltaB) {
// @audit wrong token here. should be wseth, check whether it was submitted before.
deltaB = LibWellMinting.check(C.BEAN_ETH_WELL);
}
Impact
SeasonGettersFacet will never return the correct for the
totalDeltaBleading any consumer of this function to show the incorrect price.
Tools Used
Manual Review
Recommendations
Include the deltaB from all the whitelisted liquidity wells.
function totalDeltaB() external view returns (int256 deltaB) {
- deltaB = LibWellMinting.check(C.BEAN_ETH_WELL);
+ address[] memory tokens = LibWhitelistedTokens.getWhitelistedWellLpTokens();
+ for (uint256 i = 0; i < tokens.length; i++) {
+ deltaB = deltaB.add(LibWellMinting.check(tokens[i]));
+ }
}
Updates
Lead Judging Commences
inallhonesty 11 months ago
Submission Judgement Published Reason: Non-acceptable severity
Assigned finding tags:
SeasonGettersFacet returns the wrong totalDeltaB
Appeal created
holydevoti0n
11 months ago
golanger85
11 months ago
inallhonesty
11 months ago
inallhonesty 10 months ago
Submission Judgement Published Assigned finding tags:
SeasonGettersFacet returns the wrong totalDeltaB
Prize pool breakdown
Total prize
250,000 USDC
nSLOC
12,28520 USDC / LOC
220,000 USDC
10,000 USDC
20,000 USDC
Live
The contest is live. Earn rewards by submitting a finding.
Appeals
This is your time to appeal against judgements on your submissions.
Appeals Review
Appeals are being carefully reviewed by our judges.