Report #31664

Report Date

May 23, 2024

Status

Closed

Payout

Wrong Logic Implementation

‣

Report Info

Immunefi Response

Immunefi has reviewed this vulnerability report and decided to close since being out of scope for Beanstalk bug bounty program.
claimed impact by the whitehat is not in scope for the bug bounty program
claimed asset by the whitehat is in scope for the bug bounty program
claimed severity is not in scope for the bug bounty program
The project will now be automatically subscribed and receive a report of the closed submission and can evaluate if they are interested in re-opening it. However, note that they are not under any obligation to do so.

Wrong Logic Implementation

‣

Report Info

Report ID

#31664

Report type

Smart Contract

Has PoC?

Yes

Target

https://etherscan.io/address/0xC1E088fC1323b20BCBee9bd1B9fC9546db5624C5

Impacts

Wrong Contract Implimentation Logic

Description

Wrong logic Implementation not accounting for inlationary measures and controls.

Vulnerability Details

When beanstalk price falls below peg, the bean in circulation is increased (scaled up) leading to more minting of bean and supply of more bean in circulation. And then when the bean price is above peg, the soil is scaled down reducing the bean in circulation.

This should be the other way round -When beanstalk price falls below peg, the bean in circulation should be reduced by creating a credit facility and burning circulating beans in order to gain more value and strength against it peg.

And then when the bean price is above peg, the soil should be scaled up to enable more minting of bean and create more bean in circulation.

In essence, the logic should have been accounted for using inflationary measures, design and controls.

Impact Details

This would have an effect on the soil scalling and leading to wrong calculations

References

https://github.com/Cyfrin/2024-04-beanstalk-2/blob/27ff8c87c9164c1fbff054be5f22e56f86cdf127/protocol/contracts/beanstalk/field/FieldFacet.sol#L320-L332

Proof of concept

function _totalSoilAndTemperature() private view returns (uint256 soil, uint256 _morningTemperature, bool abovePeg) {
        _morningTemperature = LibDibbler.morningTemperature();
        abovePeg = s.season.abovePeg;

        // Below peg: Soil is fixed to the amount set during {calcCaseId}.
        // Morning Temperature is dynamic, starting small and logarithmically 
        // increasing to `s.w.t` across the first 25 blocks of the Season.
        if (!abovePeg) {
            soil = uint256(s.f.soil);
        } 
        
        // Above peg: the maximum amount of Pods that Beanstalk is willing to mint
        // stays fixed; since {morningTemperature} is scaled down when `delta < 25`, we
        // need to scale up the amount of Soil to hold Pods constant.
        else {
            soil = LibDibbler.scaleSoilUp(
                uint256(s.f.soil), // max soil offered this Season, reached when `t >= 25`
                uint256(s.w.t).mul(LibDibbler.TEMPERATURE_PRECISION), // max temperature
                _morningTemperature // temperature adjusted by number of blocks since Sunrise
            );
        }
    }

Immunefi Response

Immunefi has reviewed this vulnerability report and decided to close since being out of scope for Beanstalk bug bounty program.

claimed impact by the whitehat is not in scope for the bug bounty program
claimed asset by the whitehat is in scope for the bug bounty program
claimed severity is not in scope for the bug bounty program

The project will now be automatically subscribed and receive a report of the closed submission and can evaluate if they are interested in re-opening it. However, note that they are not under any obligation to do so.