Multiple functions call `abi.encodePacked()` with multiple dynamic arguments which can compromise the protocol.
Summary
Detect collision due to dynamic type usages in abi.encodePacked.
Vulnerability Details
MetadataFacet::uri(uint256) (contracts/beanstalk/metadata/MetadataFacet.sol#33-83) calls abi.encodePacked() with multiple dynamic arguments:
- string(abi.encodePacked(data:application/json;base64,,LibBytes64.encode(abi.encodePacked({,"name": "Beanstalk Silo Deposits", "description": "An ERC1155 representing an asset deposited in the Beanstalk Silo. Silo Deposits gain stalk and bean seignorage. ,\n\nDISCLAIMER: Due diligence is imperative when assessing this NFT. Opensea and other NFT marketplaces cache the svg output and thus, may require the user to refresh the metadata to properly show the correct values.",attributes,string(abi.encodePacked( }], "image": ",imageURI(token,stem,stemTip),")),})))) (contracts/beanstalk/metadata/MetadataFacet.sol#61-82)
Internalizer::uri(uint256) (contracts/tokens/Fertilizer/Internalizer.sol#35-37) calls abi.encodePacked() with multiple dynamic arguments:
- string(abi.encodePacked(_uri,Strings.toString(_id))) (contracts/tokens/Fertilizer/Internalizer.sol#36)
Impact
The user calls the function with mack. The attacker creates a collision by intentionally inputting a typo when calling the function. The system is compromised as a result.
Tools Used
Slither
Recommendations
Do not use more than one dynamic type in abi.encodePacked(). (See the https://docs.soliditylang.org/en/v0.5.10/abi-spec.html?highlight=abi.encodePacked#non-standard-packed-modeDynamic). Use abi.encode(), preferably.
See below:
Lead Judging Commences
Informational/Gas
Invalid as per docs https://docs.codehawks.com/hawks-auditors/how-to-determine-a-finding-validity
Prize pool breakdown
Live
The contest is live. Earn rewards by submitting a finding.
Appeals
This is your time to appeal against judgements on your submissions.
Appeals Review
Appeals are being carefully reviewed by our judges.