Beanstalk: The Finale
Beanstalk
DeFiHardhatFoundry
250,000 USDC
View results
Previous Next
Submission Details
Severity: medium
Invalid

BeanL1RecieverFacet utilizes address from L1 to mint beans

holydevoti0n

Summary

BeanL2MigrationFacet is used to migrate the Beans from L1 to L2. The BeanL2MigrationFacet first burns the receive beans and then call the bridge to send the burned amount to L2 so it can be minted.

function migrateL2Beans(
address reciever,
address L2Beanstalk,
uint256 amount,
uint32 gasLimit
) external nonReentrant {
C.bean().burnFrom(msg.sender, amount);
// send data to
IL2Bridge(BRIDGE).sendMessage(
L2Beanstalk,
abi.encodeCall(IBeanL1RecieverFacet(L2Beanstalk).recieveL1Beans, (reciever, amount)),
gasLimit
);

See that as this contract is on L1, it utilizes the correct address of Bean to burn beans:

C.bean().burnFrom(msg.sender, amount);

However, on BeanL1RecieverFacet, which is the facet that will receive the beans' amount from L1, the C.bean() is yet utilized to mint beans.

function recieveL1Beans(address reciever, uint256 amount) external nonReentrant {
// verify msg.sender is the cross-chain messenger address, and
// the xDomainMessageSender is the L1 Beanstalk contract.
require(
msg.sender == address(BRIDGE) &&
IL2Messenger(BRIDGE).xDomainMessageSender() == L1BEANSTALK
);
s.sys.migration.migratedL1Beans += amount;
require(
EXTERNAL_L1_BEANS >= s.sys.migration.migratedL1Beans,
"L2Migration: exceeds maximum migrated"
);
@> C.bean().mint(reciever, amount); // @audit - wrong address

Impact

  • This will prevent the protocol from executing the beans migration to L2.

  • Transaction will revert.

Tools Used

Manual Review

Recommendations

When minting Beans, use the Beans' address from L2.

Updates

Lead Judging Commences

inallhonesty Lead Judge 11 months ago
Submission Judgement Published
Invalidated
Reason: Design choice

Support

FAQs

Can't find an answer? Chat with us on Discord, Twitter or Linkedin.