Omniscia Beanstalk Audit

LibConvert Static Analysis Findings

LibConvert Static Analysis Findings

LCT-01S: Inexistent Usage of SafeMath

Description:

The linked addition of total beans converted is not performed safely.

Example:

protocol/contracts/libraries/LibConvert.sol
24function sellToPegAndAddLiquidity(uint256 beans, uint256 minLP)
25 internal
26 returns (uint256 lp, uint256 beansConverted)
27{
28 (uint256 ethReserve, uint256 beanReserve) = reserves();
29 uint256 maxSellBeans = beansToPeg(ethReserve, beanReserve);
30 require(maxSellBeans > 0, "Convert: P must be > 1.");
31 uint256 sellBeans = calculateSwapInAmount(beanReserve, beans);
32 if (sellBeans > maxSellBeans) sellBeans = maxSellBeans;
33
34 (uint256 beansSold, uint256 wethBought) = LibMarket._sell(sellBeans, 1, address(this));
35 (beansConverted,, lp) = LibMarket._addLiquidityWETH(wethBought,beans.sub(beansSold),1,1);
36 require(lp >= minLP, "Convert: Not enough LP.");
37 beansConverted = beansConverted + beansSold;
38}

Recommendation:

We advise the operation to be performed safely by utilising the add member of the SafeMath library similarly to the removed beans calculation in the ensuing function.

Alleviation:

The linked calculation is now safely performed by the relevant SafeMath function.