📄

Report #20760

Report Date
May 24, 2023
Status
Closed
Payout

Oracle vulnerable to Multi-block MEV attack

Report Info

Report ID

#20760

Target

Report type

Smart Contract

Impacts

Illegitimate minting of protocol native assets

Has PoC?

Yes

Bug Description

Attacker can manipulate the oracle used to calculate deltaB, causing rewardBean() to be called, leading to illegitimate minting of Beans.

Background

Currently, only one oracle is used to calculate DeltaB, and it is the onchain Curve Bean Pool at 0xc9C32cd16Bf7eFB85Ff14e0c8603cc90F6F2eE49 as shown in Oracle contract.

DeltaB is calculated by sum of liquidity and time weighted average shortages or excess of Beans in oracles as stated in whitepaper. The time weighing is arithmetic mean, hence more vulnerable to single block manipulation. The current implementation is only effective at preventing flash loans from manipulating the oracle.

If DeltaB > 0, SeasonFacet contract believe there is a shortage of Beans and the price of Beans > $1 . Hence rewardBeans() is called to mint DeltaB new Beans and distribute it to Stalkholders, Fertilizer and Harvestable.

Impact

If the attacker has previously sown a lot of pods in the Field, owns a lot of fertilizer and is a large stalkholder, he could potentially obtain most of the new Beans created, which is limited to 1% of the total supply of Beans due to checkForMaxDeltaB in LibCurveOracle contract.

Hence, attacker can currently obtain maximum 352,942 Beans in 1 attack. Attack could be repeated, hence beanstalk will have to pause.

Able to withdraw immediately due to removal of the Withdrawal Timer in the Mayflower update.

Similarly, after the second block, Beans should be substantially undervalued due to arbitraguers transaction, hence there is further profit oppurtunity.

No loss of attacker funds from arbitrage due to validator control over block transaction ordering. 0.04% fee to curve pool.

Risk Breakdown

Difficulty to Exploit: Easy, require lots of capital upfront Weakness: Oracle manipulation

Recommendation

To prevent the attack, perhaps Chainlink price feed should be used to determine contract behaviour instead of curve pool. To mitigate the attack, more oracles should be added.

Reference

Proof of concept

Suppose attacker is a validator and propose 2 blocks in a row. Shown in reference [1] [2] to be feasible. Alternatively, access to dark pool and is a validator. Also assume block proposal coincide with new sunrise(), ie. at least 1 hr after previous call.

  1. Sow lots of pods in field, buy stalk with beans etc to maximise returns.
  2. In the first block, attacker uses funds to manipulate Curve market by buying large amount of beans.
  3. In the second block, call sunrise(), withdraw all bean assets before placing transactions from arbitraguers rebalancing pools.

BIC Response

The program states:

All vulnerabilities noted in any audit report in the Beanstalk Audits repository (or otherwise known by the BIC, BCM, or Root DAO Multisig) are not eligible for a reward.

This is not a valid security bug report because the BIC and BCM are already aware of the potential of a multi-block MEV attack on the Beanstalk oracle.

This is reflected by the existence of the deltaB cap that you reference ("which is limited to 1% of the total supply of Beans due to checkForMaxDeltaB"). You can read more about EBIP-2 here: https://bean.money/ebip-2.

Due to these reasons, we are closing the submission and no reward will be issued.