Beanstalk: The Finale

Beanstalk

DeFiHardhatFoundry

250,000 USDC

View results

Previous Next

Submission Details

Severity: low

Invalid

Missing slippage protection in `LibFlood.sopWell()` function leads to potential financial exploits

whitehat777

Summary

The sopWell function in the Beanstalk protocol's LibFlood library lacks slippage protection and uses an open-ended deadline for swaps. This vulnerability can be exploited by attackers to manipulate swap rates, leading to significant financial losses for the protocol.

Vulnerability Details

The sopWell function is used during a Season of Plenty (SOP) to restore the Bean price to its peg by minting additional Beans and selling them directly on the SOP well. The proceeds from the sale, in the form of WETH, are then distributed to Stalkholders. The function performs swaps without specifying a minimum acceptable amount (amountOut) and uses type(uint256).max for the deadline, making it susceptible to front-running and sandwich attacks. Here’s the relevant code snippet from the sopWell function:

function sopWell(WellDeltaB memory wellDeltaB) private {

...

uint256 amountOut = IWell(wellDeltaB.well).swapFrom(

C.bean(),

sopToken,

sopBeans,

👉 0,

address(this),

👉 type(uint256).max

);

...

}

Front-Running Attack: Attackers can observe the transaction and place their own orders to manipulate the price before the swap executes, leading to unfavorable rates for the protocol.
Sandwich Attack: Attackers can place two transactions, one before and one after the sopWell swap, to manipulate the price and profit from the resulting slippage.

Proof of Concept:

Front-Running Attack:
- Attacker monitors the mempool for sopWell transactions.
- They submit a transaction that alters the pool’s state to make the swap rate worse.
- After the sopWell transaction executes at the unfavorable rate, the attacker reverts the pool’s state to its original.
Sandwich Attack:
- Attacker places a buy order before the sopWell swap to increase the price.
- The sopWell transaction executes at the higher price, buying fewer tokens.
- The attacker then sells at the inflated price, profiting from the difference.

Impact

Exploiting this vulnerability can lead to significant financial losses for the protocol due to unfavorable swap rates.

Tools Used

Manual code review

Recommendations

Implement Slippage Protection: Add a reasonable amountOutMin parameter to the swapFrom function to ensure that swaps only occur within acceptable price ranges.
Set a Reasonable Deadline: Use a more restricted deadline for swap transactions to limit the window of opportunity for attackers to manipulate the market conditions.

Refer to the DefiHackLabs article on slippage protection for detailed guidance on implementing these measures effectively.

Updates

Lead Judging Commences

inallhonesty Lead Judge 11 months ago

Submission Judgement Published

Invalidated

Reason: Design choice

Assigned finding tags:

Lack of slippage in sopWell

Prize pool breakdown

Total prize

250,000 USDC

nSLOC

12,285

20 USDC / LOC

High Medium

220,000 USDC

Low

10,000 USDC

Judges

20,000 USDC

Live

The contest is live. Earn rewards by submitting a finding.

Judging

Submissions are being carefully reviewed by our judges.

View all submissions

Appeals

This is your time to appeal against judgements on your submissions.

Appeals Review

Appeals are being carefully reviewed by our judges.

Rewards Distribution

The contest is complete and the rewards are being distributed.

View results

Support

FAQs

Can't find an answer? Chat with us on Discord, Twitter or Linkedin.