low

Deprecated pool BEAN:WETH on LibBarnRaise used as fallback

Contest
sponsor logo

Beanstalk Part 2
Reward

Total

381.36 USDC

holydevoti0n
Selected
381.36 USDC
Selected Submission

Deprecated pool BEAN:WETH on LibBarnRaise used as fallback

Severity

Medium Risk

Relevant GitHub Links

https://github.com/Cyfrin/2024-04-beanstalk-2/blob/a3d702c2e108cac6ebdf2416906cbca73c83ec99/protocol/contracts/libraries/LibBarnRaise.sol#L26-L29

https://github.com/Cyfrin/2024-04-beanstalk-2/blob/a3d702c2e108cac6ebdf2416906cbca73c83ec99/protocol/contracts/beanstalk/init/InitMigrateUnripeBeanEthToBeanSteth.sol#L67C23-L67C46

https://github.com/Cyfrin/2024-04-beanstalk-2/blob/a3d702c2e108cac6ebdf2416906cbca73c83ec99/protocol/contracts/libraries/LibFertilizer.sol#L250

Summary

The protocol will migrate the Bean:WETH Well LP to Bean:wsETH Well LP after initializing the bip migration:

InitMigrateUnripeBeanEthToBeanSteth -> LibFertilizer -> beginBarnRaiseMigration -> switchUnderlyingToken

LibUnripe.switchUnderlyingToken(C.UNRIPE_LP, well);

This will change the underlying token of C.UNRIPE_LP to the new Bean:wsETH pool.

Vulnerability Details

Whenever getBarnRaiseWell uses a fallback underlyingToken, the correct pool to be returned should be the new one added Bean:wsETH not Bean:WETH. But currently, the Bean:WETH pool is used.

Impact

As the getBarnRaiseWell is used in several areas of the protocol like:

  • Token conversions(LibConvert)
  • Calculate BDV
  • Calculate the caseId

Whenever the fallback underlyingToken is used it will completely break the protocol logic as Bean:WETH is not the current underlying token after the migration.

PoC

Add the following test inside BeanEthToBeanWstethMigration.test.js -> 'Initializes migration'

describe('When the fallback unlderyingToken is used', async function () {
      it('should return valid fallback token', async function () {
        await this.beanstalk.connect(owner).switchUnderlyingToken(UNRIPE_LP, ethers.constants.AddressZero)
        expect(await this.beanstalk.getBarnRaiseToken()).to.be.equal(WSTETH)
      })
    })

Output:

21 passing (19s)
  1 failing

  1) Bean:Eth to Bean:Wsteth Migration
       Initializes migration
         When the fallback unlderyingToken is used
           should return valid fallback token:

      AssertionError: expected '0xC02aaA39b223FE8D0A0e5C4F27eAD9083C7…' to equal '0x7f39C581F595B53c5cb19bD0b3f8dA6c935…'
      + expected - actual

      -0xC02aaA39b223FE8D0A0e5C4F27eAD9083C756Cc2
      +0x7f39C581F595B53c5cb19bD0b3f8dA6c935E2Ca0

Tools Used

Hardhard & Manual Review

Recommendations

Add the C.BEAN_WSTETH_WELL as a fallback for the underlying token on LibBarnRaise. Also, ensure C.BEAN_WSTETH_WELL will have the correct address.

return
            s.u[C.UNRIPE_LP].underlyingToken == address(0)
-                ? C.BEAN_ETH_WELL
+                ? C.BEAN_WSTETH_WELL
                : s.u[C.UNRIPE_LP].underlyingToken;