Beanstalk: The Finale

Beanstalk

DeFiHardhatFoundry

250,000 USDC

View results

Previous Next

Submission Details

Severity: medium

Valid

Plot transfers allow for gas griefing/ OOG errors

deadrosesxyz

Summary

Users might be unable to transfer/ harvest their plots due to gas griefing

Vulnerability Details

When a plot is harvested or transferred, its index is removed from the user's plotIndexes. The problem is that the way this is done is by looping through all indexes until the correct one is found.

function removePlotIndexFromAccount(

address account,

uint256 fieldId,

uint256 plotIndex

) internal {

AppStorage storage s = LibAppStorage.diamondStorage();

uint256 i = findPlotIndexForAccount(account, fieldId, plotIndex);

Field storage field = s.accts[account].fields[fieldId];

field.plotIndexes[i] = field.plotIndexes[field.plotIndexes.length - 1];

field.plotIndexes.pop();

}

/**

* @notice finds the index of a plot in an accounts plotIndex list.

function findPlotIndexForAccount(

address account,

uint256 fieldId,

uint256 plotIndex

) internal view returns (uint256 i) {

AppStorage storage s = LibAppStorage.diamondStorage();

Field storage field = s.accts[account].fields[fieldId];

uint256[] memory plotIndexes = field.plotIndexes;

uint256 length = plotIndexes.length;

while (plotIndexes[i] != plotIndex) {

i++;

if (i >= length) {

revert("Id not found");

}

return i;

}

This allows for an attacker to spam a wallet with 1 amount plots so the user's plotIndexes array becomes too long. Then, if the user buys/ sows plots which they later plan on harvestting/selling, they'll have to loop through everything. Given that Beanstalk currently is deployed on ETH mainnet, this could be a unprofitable operation due to high gas costs. In some extreme scenario, it might even be impossible to execute the tx due to gas limit.

Impact

Gas griefing

Tools Used

Manual review

Recommendations

Sort the plotIndexes upon transfer. This would make transfers a tiny bit more costly but would make this attack impossible. In practice, difference would be negligible

Updates

Lead Judging Commences

inallhonesty Lead Judge 11 months ago

Submission Judgement Published

Validated

Assigned finding tags:

`plotIndexes` array can be spammed by 1 wei transfers

Prize pool breakdown

Total prize

250,000 USDC

nSLOC

12,285

20 USDC / LOC

High Medium

220,000 USDC

Low

10,000 USDC

Judges

20,000 USDC

Live

The contest is live. Earn rewards by submitting a finding.

Judging

Submissions are being carefully reviewed by our judges.

View all submissions

Appeals

This is your time to appeal against judgements on your submissions.

Appeals Review

Appeals are being carefully reviewed by our judges.

Rewards Distribution

The contest is complete and the rewards are being distributed.

View results

Support

FAQs

Can't find an answer? Chat with us on Discord, Twitter or Linkedin.