Beanstalk: The Finale
Beanstalk
DeFiHardhatFoundry
250,000 USDC
View results
Previous Next
Submission Details
Severity: low
Invalid

Trader could possibly lose funds (i.e. pay more quoteToken)

kwakudr

Summary

The trader has no way to set a maximum inputAmount. If for example the price returned by the Oracle (any Oracle) is wrong or inaccurate which is possible, the trader will pay more quoteToken than what they expect.

Vulnerability Details

function getTwap(
uint32 lookback,
address pool,
address token1,
address token2,
uint128 oneToken
) internal view returns (uint256 price) {
(bool success, int24 tick) = consult(pool, lookback);
if (!success) return 0;
price = OracleLibrary.getQuoteAtTick(tick, oneToken, token1, token2);
}

https://github.com/Cyfrin/2024-05-beanstalk-the-finale/blob/4e0ad0b964f74a1b4880114f4dd5b339bc69cd3e/protocol/contracts/libraries/Oracle/LibUniswapOracle.sol#L29C4-L39C6

It is possible that the price is stale or wrong for and as there is no maximum inputAmount check enforced as a safety, Trader could possibly pay more quoteToken due to the lack of the safety check. i.e. Swapper owner will receive more quote tokens and the trader will receive less which is a loss to the trader.

Impact

Trader will receive less tokens and the Swapper owner will receive more. In other words, Trader will have a loss of funds.

Tools Used

Manual Review

Recommendations

Add a parameter maxInputAmount to method to allow the trader to set a max input amount (i.e. max quote amount) to be transferred from him/her. Then If amountsToBeneficiary is greater than maxInputAmount, revert..

Updates

Lead Judging Commences

inallhonesty Lead Judge 11 months ago
Submission Judgement Published
Invalidated
Reason: Lack of quality
Assigned finding tags:

Quality

Support

FAQs

Can't find an answer? Chat with us on Discord, Twitter or Linkedin.