Beanstalk: The Finale
Beanstalk
DeFiHardhatFoundry
250,000 USDC
View results
Previous Next
Submission Details
Severity: low
Valid

Mismatch in the `BRIDGE` address between the `BeanL1RecieverFacet` and `BeanL2MigrationFacet` contracts prevents the migration of Beans to L2

whitehat777

Summary

Mismatch in the BRIDGE address between the BeanL1RecieverFacet and BeanL2MigrationFacet contracts prevents the migration of Beans to L2. This discrepancy causes the require statement in BeanL1RecieverFacet to always revert, blocking the migration functionality.

Vulnerability Details

This vulnerability occurs because in the recieveL1Beans function of the BeanL1RecieverFacet contract. The following require statement always will revert due to mismatch in the BRIDGE address between the BeanL1RecieverFacet and BeanL2MigrationFacet contracts:

BeanL1RecieverFacet.sol#L34-L37

require(msg.sender == address(BRIDGE) && IL2Messenger(BRIDGE).xDomainMessageSender() == L1BEANSTALK);

Detailed explanation

The BRIDGE address in BeanL1RecieverFacet is set to 0x4200000000000000000000000000000000000007 here. However, in the BeanL2MigrationFacet contract, the BRIDGE address is set to 0x866E82a600A1414e583f7F13623F1aC5d58b0Afa here. Hence, this address mismatch causes the require statement to always revert because the msg.sender will never match the expected BRIDGE address in BeanL1RecieverFacet.

Context:

The BeanL2MigrationFacet uses the IBeanL1RecieverFacet.recieveL1Beans function to migrate Beans from Beanstalk on L1 to L2. Due to the mismatch between the BRIDGE address constants in the two contracts, the migration process cannot be completed. Since Beans are a fundamental asset within the Beanstalk ecosystem, used for various critical functions, the inability to migrate them to L2 severely impacts the functionality and growth of the project. Therefore, this issue is marked as a high severity issue.

PoC for occuring of the issue:

contract BeanL2MigrationFacet is Invariable, ReentrancyGuard {
>>> address constant BRIDGE = address(0x866E82a600A1414e583f7F13623F1aC5d58b0Afa);
/**
* @notice migrates `amount` of Beans to L2,
* issued to `reciever`.
*/
function migrateL2Beans(address reciever, address L2Beanstalk, uint256 amount, uint32 gasLimit)
external
nonReentrant
{
C.bean().burnFrom(msg.sender, amount);
// send data to
>>> IL2Bridge(BRIDGE).sendMessage(
L2Beanstalk, abi.encodeCall(IBeanL1RecieverFacet(L2Beanstalk).recieveL1Beans, (reciever, amount)), gasLimit
);
}
}
contract BeanL1RecieverFacet is ReentrancyGuard {
uint256 constant EXTERNAL_L1_BEANS = 0;
>>> address constant BRIDGE = address(0x4200000000000000000000000000000000000007);
address constant L1BEANSTALK = address(0xC1E088fC1323b20BCBee9bd1B9fC9546db5624C5);
/**
* @notice migrates `amount` of Beans to L2,
* issued to `reciever`.
*/
function recieveL1Beans(address reciever, uint256 amount) external nonReentrant {
// verify msg.sender is the cross-chain messenger address, and
// the xDomainMessageSender is the L1 Beanstalk contract.
>>> require(msg.sender == address(BRIDGE) && IL2Messenger(BRIDGE).xDomainMessageSender() == L1BEANSTALK);
s.sys.migration.migratedL1Beans += amount;
require(EXTERNAL_L1_BEANS >= s.sys.migration.migratedL1Beans, "L2Migration: exceeds maximum migrated");
C.bean().mint(reciever, amount);
}
}

Impact

The impact of this vulnerability is significant as it prevents the migration of Beans from L1 to L2.

Tools Used

Manual code review

Recommendations

Ensure that the BRIDGE address constant is the same in both BeanL1RecieverFacet and BeanL2MigrationFacet contracts to allow successful communication between them.

Updates

Lead Judging Commences

inallhonesty Lead Judge 12 months ago
Submission Judgement Published
Invalidated
Reason: Design choice
Assigned finding tags:

Hardcoded bridge address in `BeanL1ReceiverFacet`

Appeal created

whitehat777 Submitter
12 months ago
whitehat777 Submitter
12 months ago
inallhonesty Lead Judge
12 months ago
inallhonesty Lead Judge 11 months ago
Submission Judgement Published
Validated
Assigned finding tags:

Hardcoded bridge address in `BeanL1ReceiverFacet`

Support

FAQs

Can't find an answer? Chat with us on Discord, Twitter or Linkedin.