Beanstalk: The Finale

Beanstalk

DeFiHardhatFoundry

250,000 USDC

View results

Previous Next

Submission Details

Severity: high

Invalid

publisher would be drained once set

kodyvim

Summary

LibTractor._user() always returns publisher address once the address have been set.

Vulnerability Details

TokenFaucet uses LibTractor._user() to determine the context of the msg.sender.
The issue is that when a publisher is set the function always returns the address of the publisher instead of the current msg.sender.
https://github.com/Cyfrin/2024-05-beanstalk-the-finale/blob/main/protocol/contracts/libraries/LibTractor.sol#L116C4-L121C6

function _user() internal view returns (address payable user) {

user = _getActivePublisher();//@audit-info once a publisher is set this always return here

if (uint160(bytes20(address(user))) <= 1) {

user = payable(msg.sender);

}

The consequence is that when a users calls any functions that depends on LibTractor._user() this would return the address of the publisher.
https://github.com/Cyfrin/2024-05-beanstalk-the-finale/blob/main/protocol/contracts/beanstalk/farm/TokenFacet.sol#L67

function transferInternalTokenFrom(

IERC20 token,

address sender,

address recipient,

uint256 amount,

LibTransfer.To toMode

) external payable fundsSafu noSupplyChange oneOutFlow(address(token)) nonReentrant {

LibTransfer.transferToken(

token,

sender,

recipient,

amount,

LibTransfer.From.INTERNAL,

toMode

);

if (sender != LibTractor._user()) {//@audit-info

LibTokenApprove.spendAllowance(sender, LibTractor._user(), token, amount);

}

in the above case if the user passes the address of the publisher as sender it would bypass the check(sender != LibTractor._user()) and the spendAllowance would not be invoked.
Multiple functions which depends on LibTractor._user() would be affected once a publisher is set.

Impact

Tokens own by a publisher can be drained

Tools Used

Manual Review

Recommendations

Explictly check that the caller is the publisher within LibTractor._user()

Updates

Lead Judging Commences

inallhonesty Lead Judge 12 months ago

Submission Judgement Published

Invalidated

Reason: Incorrect statement

Prize pool breakdown

Total prize

250,000 USDC

nSLOC

12,285

20 USDC / LOC

High Medium

220,000 USDC

Low

10,000 USDC

Judges

20,000 USDC

Live

The contest is live. Earn rewards by submitting a finding.

Judging

Submissions are being carefully reviewed by our judges.

View all submissions

Appeals

This is your time to appeal against judgements on your submissions.

Appeals Review

Appeals are being carefully reviewed by our judges.

Rewards Distribution

The contest is complete and the rewards are being distributed.

View results

Support

FAQs

Can't find an answer? Chat with us on Discord, Twitter or Linkedin.