Beanstalk: The Finale

Beanstalk

DeFiHardhatFoundry

250,000 USDC

View results

Previous Next

Submission Details

Severity: high

Valid

Attacker can mint Silo deposits via L2ContractMigrationFacet

T1MOH

Summary

Smart contracts that have Silo deposits on L1 can migrate them to L2 using L2ContractMigrationFacet.sol.

Merkle root is used to verify that user submits correct values. Problem is that it doesn't validate whether such Merkle leaf was used before, so attacker can replay this attack to mint any number of deposits. As a result it will have huge amount of Stalk and therefore can drain protocol via malicious proposal.

Vulnerability Details

Nothing prevents attacker from executing this function maltiple times with his single deposit and different receivers:

function redeemDepositsAndInternalBalances(

address owner,

address reciever,

AccountDepositData[] calldata deposits,

AccountInternalBalance[] calldata internalBalances,

uint256 ownerRoots,

bytes32[] calldata proof,

uint256 deadline,

bytes calldata signature

) external payable fundsSafu noSupplyChange nonReentrant {

// verify deposits are valid.

// note: if the number of contracts that own deposits is small,

// deposits can be stored in bytecode rather than relying on a merkle tree.

verifyDepositsAndInternalBalances(owner, deposits, internalBalances, ownerRoots, proof);

// signature verification.

verifySignature(owner, reciever, deadline, signature);

// set deposits for `reciever`.

uint256 accountStalk;

for (uint256 i; i < deposits.length; i++) {

accountStalk += addMigratedDepositsToAccount(reciever, deposits[i]);

}

// set stalk for account.

setStalk(reciever, accountStalk, ownerRoots);

}

Impact

Attacker can freely mint deposits and therefore Stalk. As a result he has enough Stalk to execute malicious governance proposal; steal all the Beans distributed to Stalkholders.

Additionally protocol will halt because of Invariant check in Invariable.sol, locking all the funds.

Tools Used

Manual Review

Recommendations

Keep track of used Merkle leaf to prevent replay.

Updates

Lead Judging Commences

inallhonesty Lead Judge about 1 year ago

Submission Judgement Published

Validated

Assigned finding tags:

Replay attack vulnerability in `redeemDepositsAndInternalBalances` function - it could be replayed

Prize pool breakdown

Total prize

250,000 USDC

nSLOC

12,285

20 USDC / LOC

High Medium

220,000 USDC

Low

10,000 USDC

Judges

20,000 USDC

Live

The contest is live. Earn rewards by submitting a finding.

Judging

Submissions are being carefully reviewed by our judges.

View all submissions

Appeals

This is your time to appeal against judgements on your submissions.

Appeals Review

Appeals are being carefully reviewed by our judges.

Rewards Distribution

The contest is complete and the rewards are being distributed.

View results

Support

FAQs

Can't find an answer? Chat with us on Discord, Twitter or Linkedin.