Beanstalk: The Finale

Beanstalk

DeFiHardhatFoundry

250,000 USDC

View results

Previous Next

Submission Details

Severity: low

Invalid

Lack of Slippage Mitigation in Beanstalk's Conversion Mechanism

lordofterra

Summary

The ConvertFacet contract, along with its associated libraries (LibTractor, LibSilo, LibTokenSilo, LibConvert, LibConvertData, LibPipelineConvert), performs various token conversions within the Beanstalk protocol. However, none of these contracts include mechanisms to mitigate slippage, such as checking for minimum output amounts or accepting slippage tolerance parameters.

Proof of concept

1: A user wants to convert BEAN to LP tokens.

2: The user calls the convert function with specific convertData.

3: Due to market volatility, the amount of LP tokens received is significantly lower than expected.

4: Due to market volatility, the amount of LP tokens received is significantly lower than expected.

Impact

The absence of slippage mitigation in the convert function of the ConvertFacet contract can lead to unfavorable conversions for users. In volatile market conditions, this can result in users receiving significantly less output than expected, leading to financial losses.

Tools Used

Manaul review

Recommendations

1: Enhance the convert function to accept slippage tolerance parameters and check for minimum output amounts.

function convert(

bytes calldata convertData,

int96[] memory stems,

uint256[] memory amounts,

uint256 minOutputAmount

)

external

payable

fundsSafu

noSupplyChange

nonReentrant

returns (int96 toStem, uint256 fromAmount, uint256 toAmount, uint256 fromBdv, uint256 toBdv)

{

// Other code...

(toToken, fromToken, toAmount, fromAmount) = LibConvert.convert(convertData);

// Check for slippage

require(toAmount >= minOutputAmount, "Convert: Slippage too high.");

// Other code...

emit Convert(LibTractor._user(), fromToken, toToken, fromAmount, toAmount);

}

Updates

Lead Judging Commences

inallhonesty Lead Judge about 1 year ago

Submission Judgement Published

Invalidated

Reason: Incorrect statement

Assigned finding tags:

Lack of slippage in convert

Prize pool breakdown

Total prize

250,000 USDC

nSLOC

12,285

20 USDC / LOC

High Medium

220,000 USDC

Low

10,000 USDC

Judges

20,000 USDC

Live

The contest is live. Earn rewards by submitting a finding.

Judging

Submissions are being carefully reviewed by our judges.

View all submissions

Appeals

This is your time to appeal against judgements on your submissions.

Appeals Review

Appeals are being carefully reviewed by our judges.

Rewards Distribution

The contest is complete and the rewards are being distributed.

View results

Support

FAQs

Can't find an answer? Chat with us on Discord, Twitter or Linkedin.