Beanstalk: The Finale

Beanstalk

DeFiHardhatFoundry

250,000 USDC

View results

Previous Next

Submission Details

Severity: high

Invalid

Multiple contracts are not compatible with `TractorFacet`

deadrosesxyz

Summary

Multiple contracts are not compatible with TractorFacetand may lead to unexpected results

Vulnerability Details

The idea of TractorFacetis that a user can provide a signature including a blueprint and any user can execute that said blueprint. In order for all transactions to be executed on behalf of the signer, LibTractor.user()must be used within Beanstalkinstead of msg.sender. However, there are some instances which still use msg.sender.

LibWeth:

function wrap(uint256 amount, LibTransfer.To mode) internal {

deposit(amount);

LibTransfer.sendToken(IERC20(WETH), amount, msg.sender, mode);

}

function unwrap(uint256 amount, LibTransfer.From mode) internal {

amount = LibTransfer.receiveToken(IERC20(WETH), amount, msg.sender, mode);

withdraw(amount);

(bool success, ) = msg.sender.call{value: amount}(new bytes(0));

require(success, "Weth: unwrap failed");

}

BeanL2MigrationFacet:

function migrateL2Beans(

address reciever,

address L2Beanstalk,

uint256 amount,

uint32 gasLimit

) external nonReentrant {

C.bean().burnFrom(msg.sender, amount);

L1TokenFacet

function transferInternalTokenFrom(

IERC20 token,

address sender,

address recipient,

uint256 amount,

LibTransfer.To toMode

) external payable nonReentrant {

LibTransfer.transferToken(

token,

sender,

recipient,

amount,

LibTransfer.From.INTERNAL,

toMode

);

if (sender != msg.sender) {

LibTokenApprove.spendAllowance(sender, msg.sender, token, amount);

}

These can all lead to wrong user receiving/ sending tokens. For example, if a blueprint includes LibWeth.wrap, the funds will be sent to the executor of the blueprint, instead of the signer.

Impact

Loss of funds, unexpected behaviour

Tools Used

Manual review

Recommendations

Use LibTractor.user() everywhere

Updates

Lead Judging Commences

inallhonesty Lead Judge 11 months ago

Submission Judgement Published

Validated

Assigned finding tags:

Refunding ETH to the caller can be exploited using the Tractor component to call any arbitrary function on behalf of the publisher

Appeal created

deadrosesxyz Submitter

11 months ago

deadrosesxyz Submitter

11 months ago

inallhonesty Lead Judge

11 months ago

giovannidisiena Auditor

11 months ago

inallhonesty Lead Judge 10 months ago

Submission Judgement Published

Invalidated

Reason: Non-acceptable severity

Prize pool breakdown

Total prize

250,000 USDC

nSLOC

12,285

20 USDC / LOC

High Medium

220,000 USDC

Low

10,000 USDC

Judges

20,000 USDC

Live

The contest is live. Earn rewards by submitting a finding.

Judging

Submissions are being carefully reviewed by our judges.

View all submissions

Appeals

This is your time to appeal against judgements on your submissions.

Appeals Review

Appeals are being carefully reviewed by our judges.

Rewards Distribution

The contest is complete and the rewards are being distributed.

View results

Support

FAQs

Can't find an answer? Chat with us on Discord, Twitter or Linkedin.