Beanstalk: The Finale
Beanstalk
DeFiHardhatFoundry
250,000 USDC
View results
Previous Next
Submission Details
Severity: low
Invalid

Missing Zero Address Check Vulnerability in BeanL2MigrationFacet.sol

kevinkkien

Summary

The BeanL2MigrationFacet.sol contract in the Beanstalk project lacks a zero address check for the receiver (address to receive Beans on L2) and L2Beanstalk (address of the Beanstalk contract on L2) parameters in the migrateL2Beans function. This could lead to the loss of Beans if a user accidentally or intentionally enters a zero address.

Vulnerability Details

The migrateL2Beans function does not check if the receiver and L2Beanstalk parameters are zero addresses (address(0)). If either of these parameters is a zero address, the Beans will be burned on L1 but not minted on L2, resulting in the loss of the user's Beans.

Impact

If the user enters a zero address for receiver or L2Beanstalk, the Beans burned on L1 will not be minted on L2, resulting in loss of assets for the user.

Tools Used

manual

Recommendations

add a zero address check for both the receiver and L2Beanstalk parameters in the migrateL2Beans function

function migrateL2Beans(
address receiver,
address L2Beanstalk,
uint256 amount,
uint32 gasLimit
) external nonReentrant {
require(receiver != address(0), "BeanL2MigrationFacet: receiver is the zero address");
require(L2Beanstalk != address(0), "BeanL2MigrationFacet: L2Beanstalk is the zero address");
C.bean().burnFrom(msg.sender, amount);
// ...
}
Updates

Lead Judging Commences

inallhonesty Lead Judge about 1 year ago
Submission Judgement Published
Invalidated
Reason: Non-acceptable severity
Assigned finding tags:

Informational/Gas

Invalid as per docs https://docs.codehawks.com/hawks-auditors/how-to-determine-a-finding-validity

Support

FAQs

Can't find an answer? Chat with us on Discord, Twitter or Linkedin.