Beanstalk: The Finale
Beanstalk
DeFiHardhatFoundry
250,000 USDC
View results
Previous Next
Submission Details
Severity: high
Invalid

Unauthorized Token Transfers Possible Due to Arbitrary from Parameter

heim

Summary

The UnripeFacet.sol contract handles functionalities related to unripe tokens, including their management and the conversion (chopping) into ripe tokens. The identified issue relates to the use of an arbitrary address as the from parameter in the ERC20 transferFrom calls, which can lead to unauthorized token transfers and potential loss of funds.

Vulnerability Details

By allowing an arbitrary address to be used as the from parameter in the transferFrom function, the contract permits anyone to transfer tokens from another user's address without proper authorization. This can result in unauthorized token transfers and a potential loss of funds for the token owner.

Code snippet:

IERC20(s.sys.silo.unripeSettings[unripeToken].underlyingToken).safeTransferFrom(
LibTractor._user(),
address(this),
amount
);

The function LibTractor._user() returns an arbitrary address, which is used as the from parameter in the safeTransferFrom call.

Impact

High. This vulnerability can be exploited to transfer tokens from any user's address without their consent, leading to significant financial loss.

Tools Used

Manual review

Recommendations

  • Use msg.sender for from Parameter:
    Ensure that the from parameter in all safeTransferFrom calls is msg.sender to prevent unauthorized transfers.

IERC20(s.sys.silo.unripeSettings[unripeToken].underlyingToken).safeTransferFrom(
msg.sender,
address(this),
amount
);
Updates

Lead Judging Commences

inallhonesty Lead Judge 12 months ago
Submission Judgement Published
Invalidated
Reason: Design choice

Support

FAQs

Can't find an answer? Chat with us on Discord, Twitter or Linkedin.