Beanstalk: The Finale
Beanstalk
DeFiHardhatFoundry
250,000 USDC
View results
Previous Next
Submission Details
Severity: high
Invalid

Multiple functions use arbitrary `from` in `transferFrom` resulting in loss of funds during transfer.

DuncanDuMond

Summary

Detect when msg.sender is not used as from in transferFrom.

Vulnerability Details

  • ReseedBean::mintAndSync(BeanstalkERC20,address,uint256,uint256) (contracts/beanstalk/init/reseed/L2/ReseedBean.sol#213-224) uses arbitrary from in transferFrom: IERC20(nonBeanToken).safeTransferFrom(OWNER,address(well),tokenAmount) (contracts/beanstalk/init/reseed/L2/ReseedBean.sol#221)

  • LibTransfer::transferToken(IERC20,address,address,uint256,LibTransfer.From,LibTransfer.To) (contracts/beanstalk/migration/L1Libraries/LibTransfer.sol#32-48) uses arbitrary from in transferFrom: token.safeTransferFrom(sender,recipient,amount) (contracts/beanstalk/migration/L1Libraries/LibTransfer.sol#42)

  • LibTransfer::receiveToken(IERC20,uint256,address,LibTransfer.From) (contracts/beanstalk/migration/L1Libraries/LibTransfer.sol#50-69) uses arbitrary from in transferFrom: token.safeTransferFrom(sender,address(this),amount - receivedAmount) (contracts/beanstalk/migration/L1Libraries/LibTransfer.sol#67)

  • LibFertilizer::addUnderlying(uint256,uint256,uint256) (contracts/libraries/LibFertilizer.sol#85-143) uses arbitrary from in transferFrom: IERC20(barnRaiseToken).transferFrom(LibTractor._user(),address(this),uint256(tokenAmountIn)) (contracts/libraries/LibFertilizer.sol#116-120)

  • LibTransfer::transferToken(IERC20,address,address,uint256,LibTransfer.From,LibTransfer.To) (contracts/libraries/Token/LibTransfer.sol#29-45) uses arbitrary from in transferFrom: token.safeTransferFrom(sender,recipient,amount) (contracts/libraries/Token/LibTransfer.sol#39)

  • LibTransfer::receiveToken(IERC20,uint256,address,LibTransfer.From) (contracts/libraries/Token/LibTransfer.sol#47-66) uses arbitrary from in transferFrom: token.safeTransferFrom(sender,address(this),amount - receivedAmount) (contracts/libraries/Token/LibTransfer.sol#64)

  • UnripeFacet::addMigratedUnderlying(address,uint256) (contracts/beanstalk/barn/UnripeFacet.sol#284-295) uses arbitrary from in transferFrom: IERC20(s.sys.silo.unripeSettings[unripeToken].underlyingToken).safeTransferFrom(LibTractor._user(),address(this),amount) (contracts/beanstalk/barn/UnripeFacet.sol#289-293)

In each scenario, the attacker can call the function and specify the user's address as from in transferFrom allowing the attacker to transfer the user's funds to himself.

Impact

Funds can be stolen if the attacker calls the function and specifies the user's address

Tools Used

Slither

Recommendations

Use msg.sender as from in transferFrom.

For example:

function mintAndSync(
BeanstalkERC20 bean,
address well,
uint256 beanAmount,
uint256 tokenAmount
) internal returns (IWell) {
bean.mint(well, beanAmount);
(address nonBeanToken, ) = LibWell.getNonBeanTokenAndIndexFromWell(well);
- IERC20(nonBeanToken).safeTransferFrom(OWNER, address(well), tokenAmount);
+ IERC20(nonBeanToken)safeTransferFrom(msg.sender(OWNER), address(well), tokenAmount);
IWell(well).sync(address(this), 0); // sync the well.
return IWell(well);
}
Updates

Lead Judging Commences

inallhonesty Lead Judge over 1 year ago
Submission Judgement Published
Invalidated
Reason: Design choice

Support

FAQs

Can't find an answer? Chat with us on Discord, Twitter or Linkedin.