Beanstalk: The Finale
Beanstalk
DeFiHardhatFoundry
250,000 USDC
View results
Previous Next
Submission Details
Severity: low
Invalid

DOS for transfers on some to-be supported tokens

bauchibred

Summary

Low likelihood DOS when the transfers of full amount of some supported tokens are being executed, due to the current transfer logic.

Vulnerability Details

Take a look at https://github.com/Cyfrin/2024-05-beanstalk-the-finale/blob/8c8710df547f7d7c5dd82c5381eb6b34532e4484/protocol/contracts/libraries/Token/LibTokenApprove.sol#L36-L42

function spendAllowance(address owner, address spender, IERC20 token, uint256 amount) internal {
uint256 currentAllowance = allowance(owner, spender, token);
if (currentAllowance != type(uint256).max) {
require(currentAllowance >= amount, "Token: insufficient allowance");
approve(owner, spender, token, currentAllowance - amount);
}
}

This function is what gets finally called in the case there is any transfer, that's not via transfer() but from transferFrom(), issue however is that, Beanstalk is to support all ERC2o tokens as stated in the readMe, issue however is that tokens exist that do not accept an approval to the 0 value, see https://github.com/d-xo/weird-erc20?tab=readme-ov-file#revert-on-zero-value-approvals.

Now see the instances where spendAllowance gets queried accross protocol:

protocol/contracts/beanstalk/farm/TokenFacet.sol:
83 if (sender != LibTractor._user()) {
84: LibTokenApprove.spendAllowance(sender, LibTractor._user(), token, amount);
85 }
protocol/contracts/beanstalk/migration/L1TokenFacet.sol:
94 if (sender != msg.sender) {
95: LibTokenApprove.spendAllowance(sender, msg.sender, token, amount);
96 }

This then means that when using such ERC-20 tokens, the transfers would always revert when the transfer that's to be done is that of all the allowance that sender has given the user, leading to a DOS on the attempt at transfer.

NB: The hinted instances where spendAllowance gets queried are also helper functions, so this bug case also affects the external transfer attempts that gets routed via this in core functionalities across protocol.

Impact

DOS on the attempt at transfer for some users as they can't transfer out all their approved tokens.

Imo, impact -medium (just a Dos and +1 approval would sort it out, but could be of higher impact if the +1 is of high value $wise ), likelihood- low, so severity -> low.

Tools Used

  • Manual review

  • Juancito's guide on multichain deployments: https://github.com/0xJuancito/multichain-auditor?tab=readme-ov-file#hardcoded-contract-addresses

Recommendations

Consider outrightly not supporting these tokens, alternatively heavily doxument this factor and have users approve +1 wei of these sort of tokens (this would naturally work if the token is of a high decimal, however if it's a low decimal, then +1 could be worth too much for a sender to approve to the receiver as an extra, so safe bet is just to outrightly not support these tokens).

Updates

Lead Judging Commences

inallhonesty Lead Judge 12 months ago
Submission Judgement Published
Invalidated
Reason: Non-acceptable severity
Assigned finding tags:

Informational/Gas

Invalid as per docs https://docs.codehawks.com/hawks-auditors/how-to-determine-a-finding-validity

Some tokens revert on approve 0

Appeal created

bauchibred Submitter
12 months ago
inallhonesty Lead Judge
12 months ago
inallhonesty Lead Judge 11 months ago
Submission Judgement Published
Invalidated
Reason: Non-acceptable severity
Assigned finding tags:

Informational/Gas

Invalid as per docs https://docs.codehawks.com/hawks-auditors/how-to-determine-a-finding-validity

Some tokens revert on approve 0

Support

FAQs

Can't find an answer? Chat with us on Discord, Twitter or Linkedin.