gm can be called multiple times in a current running season.
Summary
Relying on expected season number to ensure gm is called only once can be bypassed.
Vulnerability Details
Inside contract SeasonFacet.sol, within function gm there is a check to ensure gm should not be called more than once which is expected season number should be more than current season.
function seasonTime() is used to calculate and return expected season number
but above calculation is based on the consideration that every season is consecutive without any delay which is not the case in reality there can be delay in advancement of Beanstalk to next season.
Suppose there is on average 1 minute delay between 2 consecutive seasons then after few hundred seasons (for easy calculation) there will be time when expected season calculated using function seasonTime() gives much higher expected season number compared to current season value such that during running season gm could be called more than once by bypassing require(seasonTime() > s.sys.season.current, "Season: Still current Season.");
Impact
Affecting the core functionalities of Beanstalk as GM should be call only once per season.
Tools Used
Manual review
Recommendations
instead of relying on expected season number apply check - block.timestamp - (timestamp of last gm call) < s.sys.season.period then revert
Prize pool breakdown
Live
The contest is live. Earn rewards by submitting a finding.
Appeals
This is your time to appeal against judgements on your submissions.
Appeals Review
Appeals are being carefully reviewed by our judges.