Omniscia Beanstalk Audit
SiloEntrance Manual Review Findings
SiloEntrance Manual Review Findings
SEE-01M: Flash-Loan Prone LP Evaluation
Type | Severity | Location |
---|---|---|
Logical Fault | SiloEntrance.sol:L120-L123 |
Description:
The linked LP evaluation is meant to take an input amount of LP units and convert that to the Bean equivalent, however, in doing so it unfairly weights Bean and its paired asset as equivalent reserves. In turn, a malicious user could flash-loan a huge amount of beans, swap them within the pair and cause an improper reserve of beans in the pair that is counted twice for LP evaluation thus overvaluing LP units by a huge margin.
Example:
120function lpToLPBeans(uint256 amount) internal view returns (uint256) {121 (,uint256 beanReserve) = reserves();122 return amount.mul(beanReserve).mul(2).div(pair().totalSupply());123}
Recommendation:
We advise this trait of the system to be re-evaluated and proper evaluation of LP units to be performed by swapping the WETH equivalent of the LP for bean units, thus representing the true value of the LP unit in beans. We should note that even if this method is utilised, the beans of an LP deposit are evaluated once and as such the contract would still be prone to flash-loan over-evaluations of LP units until an alternative valuation method is utilised (i.e. by using external oracles to ascertain the true USD price of the LP unit similarly to Alpha Homora's V2 LP evaluation code).
Alleviation:
The relevant code was relocated to the LibLPSilo
library and was updated to utilize a TWAP implementation thereby alleviating this exhibit.