Beanstalk Part 2

Beanstalk

DeFiHardhat

35,000 USDC

View results

Previous Next

Submission Details

Severity: low

Invalid

No limit on `ids` can lead to DOS in `claimFertilized`

0xbeastboy

Summary

The ids array parameter in the FertilizerFacet:claimFertilized function is used to specify the IDs of the Fertilizer instances that the caller wants to rinse. Each ID corresponds to a particular instance of Fertilizer. This function doesn't impose any limit on the length of the ids array. An attacker could potentially craft a transaction with a large number of IDs, causing the function to consume excessive gas or even run out of gas, leading to a DoS attack by preventing other legitimate transactions from being processed.

Vulnerability Details

The attacker crafts a transaction with a large array of IDs, potentially containing thousands or even millions of elements.

Each ID in the array triggers processing within the claimFertilized function. If this processing involves resource-intensive operations such as loops, complex computations, or external calls, it could consume a significant amount of gas and processing time.

The gas consumed by processing the large array of IDs exceeds the gas limit for Ethereum transactions. As a result, the transaction fails, and the attacker's goal is achieved: disrupting the normal operation of the FertilizerFacet contract and potentially causing a DoS for other users trying to interact with the contract.

See the following code:

function claimFertilized(uint256[] calldata ids, LibTransfer.To mode)

external

payable

{

uint256 amount = C.fertilizer().beanstalkUpdate(msg.sender, ids, s.bpf);

LibTransfer.sendToken(C.bean(), amount, msg.sender, mode);

}

Impact

The primary impact of the attack is the disruption of service for legitimate users of the FertilizerFacet contract. When an attacker crafts a transaction with a large array of IDs in the claimFertilized function, it consumes excessive gas and processing time, causing the transaction to fail. As a result, legitimate users may experience delays or failures when trying to interact with the contract, such as claiming fertilized sprouts or purchasing fertilizer.

The attack can lead to financial losses for users who are unable to perform essential operations on the contract due to the DoS. For example, if users are unable to claim their fertilized sprouts, they may miss out on potential rewards or incentives offered by the contract. Additionally, if users are unable to purchase fertilizer, it may impact their ability to participate in farming or yield generation activities, resulting in missed opportunities for profit.

Tools Used

Manual Review

Recommendations

Implement input validation to ensure that the ids array is within reasonable bounds and contains valid IDs.

Updates

Lead Judging Commences

giovannidisiena Lead Judge over 1 year ago

Submission Judgement Published

Invalidated

Reason: Incorrect statement

Assigned finding tags:

Informational/Invalid

Prize pool breakdown

Total prize

35,000 USDC

nSLOC

1,991

18 USDC / LOC

High Medium

30,000 USDC

Low

1,500 USDC

Judges

3,500 USDC

Live

The contest is live. Earn rewards by submitting a finding.

Judging

Submissions are being carefully reviewed by our judges.

View all submissions

Appeals

This is your time to appeal against judgements on your submissions.

Appeals Review

Appeals are being carefully reviewed by our judges.

Rewards Distribution

The contest is complete and the rewards are being distributed.

View results

Support

FAQs

Can't find an answer? Chat with us on Discord, Twitter or Linkedin.