Beanstalk: The Finale

Beanstalk

DeFiHardhatFoundry

250,000 USDC

View results

Previous Next

Submission Details

Severity: high

Invalid

`getTokenEntitlementsAndBalances` does not include `s.sys.silo.earnedBeans`

deadrosesxyz

Summary

getTokenEntitlementsAndBalances does not include s.sys.silo.earnedBeans

Vulnerability Details

When Beans is above peg, beans can be allocated to stalk holders. They're first added in s.sys.silo.earnedBeans.

However, Invariable#getTokenEntitlementsAndBalances which should calculate all token entitlements and check whether the balances are enough to cover them (in order to prevent from exploits) does not take s.sys.silo.earnedBeans into account.

function getTokenEntitlementsAndBalances(

address[] memory tokens

) internal view returns (uint256[] memory entitlements, uint256[] memory balances) {

AppStorage storage s = LibAppStorage.diamondStorage();

entitlements = new uint256[](tokens.length);

balances = new uint256[](tokens.length);

for (uint256 i; i < tokens.length; i++) {

entitlements[i] =

s.sys.silo.balances[tokens[i]].deposited +

s.sys.silo.germinating[GerminationSide.ODD][tokens[i]].amount +

s.sys.silo.germinating[GerminationSide.EVEN][tokens[i]].amount +

s.sys.internalTokenBalanceTotal[IERC20(tokens[i])];

if (tokens[i] == C.BEAN) {

entitlements[i] +=

(s.sys.fert.fertilizedIndex -

s.sys.fert.fertilizedPaidIndex +

s.sys.fert.leftoverBeans) + // unrinsed rinsable beans

s.sys.silo.unripeSettings[C.UNRIPE_BEAN].balanceOfUnderlying; // unchopped underlying beans

for (uint256 j; j < s.sys.fieldCount; j++) {

entitlements[i] += (s.sys.fields[j].harvestable - s.sys.fields[j].harvested); // unharvested harvestable beans

}

} else if (tokens[i] == LibUnripe._getUnderlyingToken(C.UNRIPE_LP)) {

entitlements[i] += s.sys.silo.unripeSettings[C.UNRIPE_LP].balanceOfUnderlying;

}

entitlements[i] += s.sys.sop.plentyPerSopToken[tokens[i]];

balances[i] = IERC20(tokens[i]).balanceOf(address(this));

}

return (entitlements, balances);

}

As of right now, there's over $1M in earnedBeans which means that Invariable would allow for an exploit of up to $1M in Beans to occur.

Impact

earnedBeans are not accounted for. Invariable contract does not work properly for its main asset.

Tools Used

Manual review

Recommendations

Take into account s.sys.silo.earnedBeans

Updates

Lead Judging Commences

inallhonesty Lead Judge about 1 year ago

Submission Judgement Published

Validated

Assigned finding tags:

`getTokenEntitlementsAndBalances` does not include `s.sys.silo.earnedBeans`

Appeal created

deadrosesxyz Submitter

about 1 year ago

T1MOH Auditor

about 1 year ago

inallhonesty Lead Judge

about 1 year ago

inallhonesty Lead Judge about 1 year ago

Submission Judgement Published

Invalidated

Reason: Incorrect statement

Prize pool breakdown

Total prize

250,000 USDC

nSLOC

12,285

20 USDC / LOC

High Medium

220,000 USDC

Low

10,000 USDC

Judges

20,000 USDC

Live

The contest is live. Earn rewards by submitting a finding.

Judging

Submissions are being carefully reviewed by our judges.

View all submissions

Appeals

This is your time to appeal against judgements on your submissions.

Appeals Review

Appeals are being carefully reviewed by our judges.

Rewards Distribution

The contest is complete and the rewards are being distributed.

View results

Support

FAQs

Can't find an answer? Chat with us on Discord, Twitter or Linkedin.