Beanstalk: The Finale

Beanstalk

DeFiHardhatFoundry

250,000 USDC

View results

Previous Next

Submission Details

Severity: low

Invalid

nextFid Linked list will be corrupt if FID is duplicate.

0xgenaudits

Summary

A vulnerability exists in the mintFertilizers function of the ReseedBarn contract (https://github.com/Cyfrin/2024-05-beanstalk-the-finale/blob/main/protocol/contracts/beanstalk/init/reseed/L2/ReseedBarn.sol#L72-L96).
This function is responsible for minting fertilizers, which are stored in a linked list using the nextFid mapping.
The vulnerability arises when the fertilizerIds argument passed to mintFertilizers contains duplicate fertilizer IDs.

Vulnerability Details

https://github.com/Cyfrin/2024-05-beanstalk-the-finale/blob/main/protocol/contracts/beanstalk/init/reseed/L2/ReseedBarn.sol#L79-L82

In mintFertilizers it receives Fertilizers[] calldata fertilizerIds and this fertilizerIds must be in order
because it is stored (Linked list) Id points to the next Id:

[0, 100] -> [100, 200] -> [200, 300] -> [300, 400]

If a fertilizerIds array contains a duplicate ID the Linked list will be corrupt.
eg: Id 100 is duplicate.

[0, 100] -> [100, 400] -> [200, 100] -> [100, 400]

POC:

// SPDX-License-Identifier: MIT

pragma solidity ^0.8.20;

import "hardhat/console.sol";

contract FertilizerId {

uint128 fertFirst;

uint128 fertLast;

mapping(uint128 => uint128) nextFid;

struct Fertilizers {

uint128 fertilizerId;

}

function setUp() public {

uint128[] memory data = new uint128[](7);

data[0] = 0;

data[1] = 100;

data[2] = 200;

data[3] = 100; // duplicate id.

data[4] = 400;

mintFertilizers(data);

}

function mintFertilizers(uint128[] memory fertilizerIds) internal {

for (uint i; i < fertilizerIds.length; i++) {

// set s.firstFid, s.nextFid, s.lastFid

uint128 fid = fertilizerIds[i];

if (i == 0) fertFirst = fid;

if (i != 0) nextFid[fertilizerIds[i - 1]] = fid;

if (i == fertilizerIds.length - 1) fertLast = fid;

}

// 100 must point to 200.

// [0, 100] -> [100, 200] -> [200, 300] -> [300, 400]

// but we get

// [0, 100] -> [100, 400] -> [200, 100] -> [100, 400]

require(nextFid[100] == 200, "Linked list corrupt");

}

Impact:

A corrupted linked list can lead to unexpected behavior in functions that rely on traversing the fertilizer list. This could potentially result in:

1- Inability to access or modify specific fertilizers.
2- Incorrect data being returned when querying the fertilizer list.

Tools Used

Recommendations

enforce unique fertilizer IDs:
The contract should be modified to ensure that the fertilizerIds array passed to mintFertilizers does not contain any duplicates.
This can be achieved through validation before processing the data.

Updates

Lead Judging Commences

inallhonesty Lead Judge 11 months ago

Submission Judgement Published

Invalidated

Reason: Non-acceptable severity

Assigned finding tags:

Informational/Gas

Invalid as per docs https://docs.codehawks.com/hawks-auditors/how-to-determine-a-finding-validity

If a fertilizerIds array contains a duplicate ID the Linked list will be corrupt.

Prize pool breakdown

Total prize

250,000 USDC

nSLOC

12,285

20 USDC / LOC

High Medium

220,000 USDC

Low

10,000 USDC

Judges

20,000 USDC

Live

The contest is live. Earn rewards by submitting a finding.

Judging

Submissions are being carefully reviewed by our judges.

View all submissions

Appeals

This is your time to appeal against judgements on your submissions.

Appeals Review

Appeals are being carefully reviewed by our judges.

Rewards Distribution

The contest is complete and the rewards are being distributed.

View results

Support

FAQs

Can't find an answer? Chat with us on Discord, Twitter or Linkedin.