Beanstalk Part 2
Beanstalk
DeFiHardhat
35,000 USDC
View results
Previous Next
Submission Details
Severity: low
Invalid

Attackers may be able to apply a Second Preimage Attack to steal tokens

biakia

Summary

In contract UnripeFacet, the function pick is using OpenZeppelin's MerkleProof to validate that the Pick is valid. But it builds the leaf node in the wrong way, causing the function to potentially suffer a Second Preimage attack.

Vulnerability Details

The function pick will build a leaf node by following codes:

bytes32 leaf = keccak256(abi.encodePacked(msg.sender, amount));

As per the comment of the OpenZeppelin Merkle tree librar(https://github.com/OpenZeppelin/openzeppelin-contracts/blob/master/contracts/utils/cryptography/MerkleProof.sol#L8-L22), you should avoid using leaf values that are 64 bytes long prior to hashing because it will suffer a Second Preimage attack.

For more details about Second Preimage attack, you can refer to this article: https://www.rareskills.io/post/merkle-tree-second-preimage-attack

The Second Preimage attack will bypass the merkle proof validation, and then the attacker can steal tokens by following codes:

LibTransfer.sendToken(IERC20(token), amount, msg.sender, mode);

Impact

The attacker may be able to launch a Second Preimage attack to bypass the merkle proof validation and steal tokens from the contract.

Tools Used

Manual Review

Recommendations

Consider following fix:

bytes32 leaf = keccak256(bytes.concat(keccak256(abi.encode(msg.sender, amount))));
Updates

Lead Judging Commences

giovannidisiena Lead Judge about 1 year ago
Submission Judgement Published
Invalidated
Reason: Incorrect statement
Assigned finding tags:

UnripeFacet second preimage

Support

FAQs

Can't find an answer? Chat with us on Discord, Twitter or Linkedin.