Beanstalk: The Finale

Beanstalk

DeFiHardhatFoundry

250,000 USDC

View results

Previous Next

Submission Details

Severity: low

Invalid

Unsanitized `getTokenName` function can lead to SVG injection in the beanstalk ERC1155's `uri`

inh3l

Summary

The ERC20 token symbol gotten from the getTokenName function is not sanitized which can lead to potential json injection and xss attacks.

Vulnerability Details

In MetadataFacet.sol, the ERC1155 depositId's URI is calculated through the uri function. The URI is a base64 encoded JSON object that contains the metadata and base64 encoded svg. In the function, we're interested in the getTokenName function.

function uri(uint256 depositId) external view returns (string memory) {

(address token, int96 stem) = LibBytes.unpackAddressAndStem(depositId);

int96 stemTip = LibTokenSilo.stemTipForToken(token);

// validate the uri

// the deposit id must return

// 1) a token in the silo whitelist (by checking milestone season)

// 2) a stem that is less than or equal to the stem tip

require(

s.sys.silo.assetSettings[token].milestoneSeason != 0 && stemTip >= stem,

"Silo: metadata does not exist"

);

bytes memory attributes = abi.encodePacked(

', "attributes": [ { "trait_type": "Token", "value": "',

getTokenName(token),

'"}, { "trait_type": "Token Address", "value": "',

The function is queried in MetadataImage.sol, in which the ERC20 token's s is aymbol queried. As can be seen from the function, the token symbol is queried and used as is, without any form of sanitization, or length check.

function getTokenName(address token) internal view returns (string memory tokenString) {

// for unripe LP, return `urLP` given the current unripe name is inaccurate.

if (token == C.UNRIPE_LP) {

tokenString = "urBEANLP";

} else {

tokenString = ERC20(token).symbol();

}

This means the token symbol can basically be anything (letters, numbers, symbols, links, etc), and it will be processed just like that. This makes the URI function vulnerable to malicious code injection through the token symbol. The symbol is passed directly to any front end displaying the beanstalk ERC1155s.
Important to note that SVGs can be used to execute arbitrary Javascript which can be used to create XSS attacks.

Impact

This means that if an the token symbol contains malicious Javascript, this could be used to inject Javascript into the front end. For instance, this can be used to create a fake Metamask pop up that asks a user to sign a message.

Tools Used

Manual Code Review
Using-JavaScript-in-SVG
svg-xssinjection-attacks)

Recommendations

Recommendation is to add input sanitation check to the getTokenName function so that only letters and numbers are allowed.

Updates

Lead Judging Commences

inallhonesty Lead Judge 11 months ago

Submission Judgement Published

Invalidated

Reason: Non-acceptable severity

Assigned finding tags:

Informational/Gas

Invalid as per docs https://docs.codehawks.com/hawks-auditors/how-to-determine-a-finding-validity

Prize pool breakdown

Total prize

250,000 USDC

nSLOC

12,285

20 USDC / LOC

High Medium

220,000 USDC

Low

10,000 USDC

Judges

20,000 USDC

Live

The contest is live. Earn rewards by submitting a finding.

Judging

Submissions are being carefully reviewed by our judges.

View all submissions

Appeals

This is your time to appeal against judgements on your submissions.

Appeals Review

Appeals are being carefully reviewed by our judges.

Rewards Distribution

The contest is complete and the rewards are being distributed.

View results

Support

FAQs

Can't find an answer? Chat with us on Discord, Twitter or Linkedin.