Beanstalk: The Finale
Beanstalk
DeFiHardhatFoundry
250,000 USDC
View results
Previous Next
Submission Details
Severity: low
Valid

High Risk Denial-of-Service (DoS) Vulnerability in ERC1155 Token Minting Process.

Uno

Summary:

This report describes a potential Denial-of-Service (DoS) vulnerability.
The vulnerability arises when mintFertilizers calls beanstalkMint to mint ERC1155 NFT if receiver is contract it must implement onERC1155Received if that contract has no onERC1155Received the whole transaction will revert causing Dos and prevent other users from getting their fertilizer NFT.

Vulnerability Details

The mintFertilizers function attempts to mint a specific fertilizer (fertilizerId) for multiple users.
However, the code depends on onERC1155Received callback being implemented by the receiving L2 contract to check ERC1155 implementation, if the receiver contract doesn't implement onERC1155Received the transaction will revert.

1- If a receiving contract (L2) does not have the onERC1155Received callback implemented, the mintFertilizers function will revert due to onERC1155Received missing.
2- Since mintFertilizers attempts to mint NFT for multiple users, a missing onERC1155Received callback on L2 contracts leads to a DoS.

3- A user with bad intentions can cause Dos and prevent NFT fertilizer from being minted, to other users.

POC:

function mintFertilizers(Fertilizer fertilizerProxy, Fertilizers[] calldata fertilizerIds) internal {
// ...snip
// reissue fertilizer to each holder.
for (uint j; j < f.accountData.length; j++) {
@>> fertilizerProxy.beanstalkMint(
f.accountData[j].account,
fid,
f.accountData[j].amount,
f.accountData[j].lastBpf
);
}
// ...snip
}
function beanstalkMint(address account, uint256 id, uint128 amount, uint128 bpf) external onlyOwner {
// ...snip
@>> _safeMint(account, id, amount, bytes("0"));
}
function _safeMint(address to, uint256 id, uint256 amount, bytes memory data) internal virtual {
// ...snip
@>> __doSafeTransferAcceptanceCheck(operator, address(0), to, id, amount, data);
}
function __doSafeTransferAcceptanceCheck(
address operator,
address from,
address to,
uint256 id,
uint256 amount,
bytes memory data
) private {
if (LibFertilizer.isContract(to)) {
try IERC1155Receiver(to).onERC1155Received(operator, from, id, amount, data)
returns(bytes4 response)
{
if (response != IERC1155Receiver.onERC1155Received.selector) {
revert("ERC1155: ERC1155Receiver rejected tokens");
}
} catch Error(string memory reason) {
revert(reason);
} catch {
@>> revert("ERC1155: transfer to non ERC1155Receiver implementer");
}
}
}

Impact:

A user with bad intentions can cause Dos and prevent NFT fertilizer from being minted, to other users.

Tools Used

Recommendation:

There are many ways to handle this issue, after the developers are notified with this issue they will update the code as they see it fits.

Updates

Lead Judging Commences

inallhonesty Lead Judge 11 months ago
Submission Judgement Published
Validated
Assigned finding tags:

`_safeMint` can DOSS due to a receiver not implementing `onERC1155Received`

Appeal created

T1MOH Auditor
11 months ago
Uno Submitter
11 months ago
Uno Submitter
11 months ago
inallhonesty Lead Judge
11 months ago
inallhonesty Lead Judge 10 months ago
Submission Judgement Published
Validated
Assigned finding tags:

`_safeMint` can DOSS due to a receiver not implementing `onERC1155Received`

Support

FAQs

Can't find an answer? Chat with us on Discord, Twitter or Linkedin.