The uri
function in the MetadataFacet
contract lacks input validation for the depositId
parameter. This could lead to unexpected behavior or errors if an invalid depositId
is provided, as the function assumes the input is correctly formed by concatenating a token address and a stem.
The uri
function takes a depositId
as input and uses LibBytes.unpackAddressAndStem
to extract the token address and stem from it. However, there are no checks to ensure that the depositId
is valid or that it was created using the expected format.
If a user provides an invalid depositId
, the following issues could arise:
Incorrect Token and Stem Values: The unpackAddressAndStem
function might extract incorrect token and stem values, leading to the generation of an incorrect URI.
Unexpected Reverts: The subsequent logic in the uri
function, which relies on the extracted token and stem values, might revert due to unexpected values, causing the function to fail.
Denial of Service: In some cases, an invalid depositId
could trigger a revert in a way that consumes excessive gas, potentially leading to a denial-of-service (DoS) attack.
The impact of this vulnerability depends on how the uri
function is used within the Beanstalk ecosystem. If the function is called with untrusted user input, an attacker could potentially exploit this lack of validation to:
Manipulate Metadata: Generate incorrect URIs for deposits, leading to misleading or inaccurate metadata.
Disrupt Functionality: Cause the uri
function to revert unexpectedly, disrupting the normal operation of the contract.
Launch DoS Attacks: In some cases, trigger reverts that consume excessive gas, potentially leading to a DoS attack.
Manual code review
To mitigate this vulnerability, add input validation to the uri
function. This could include:
Validate Deposit ID Structure: Check if the depositId
is correctly formed by concatenating a valid token address and a stem.
Check Token Whitelist: Verify if the extracted token address is in the silo whitelist to ensure it's a supported token.
Stem Range Check: Ensure that the extracted stem value is within the valid range for the given token.
By implementing these checks, the uri
function can be made more robust and resistant to errors caused by invalid input.
The contest is live. Earn rewards by submitting a finding.
This is your time to appeal against judgements on your submissions.
Appeals are being carefully reviewed by our judges.