Report Date
May 20, 2023
Status
Closed
Payout
BDVFacet is subject to Curve LP oracle manipulation via read-only reentrancy
‣
BIC Response
The code snippet references this line in Curve: raw_call(msg.sender, b"", value=value)
. This logic is only used in certain Curve pools, none of which are the metapool template used for the BEAN3CRV pool: https://github.com/search?q=repo%3Acurvefi%2Fcurve-contract%20raw_call(msg.sender%2C%20b%22%22%2C%20value%3Dvalue)&type=code.
Given this, it does not appear to be possible for this vulnerability to surface in standard Curve metapools. The POC also does not call Beanstalk at any point.
Due to these reasons, we are re-closing the submission and no reward will be issued.