Beanstalk: The Finale

Beanstalk

DeFiHardhatFoundry

250,000 USDC

View results

Previous Next

Submission Details

Severity: high

Invalid

Nonce Handling Vulnerability in `runBlueprint` Modifier of `TractorFacet` Contract

0xbeastboy

Summary

The runBlueprint modifier in the TractorFacet contract contains a vulnerability due to improper nonce handling. Specifically, the current implementation only checks that the nonce is below a maximum value but does not ensure the nonce's uniqueness or sequential order. This weakness can lead to replay or out-of-order execution attacks.

Vulnerability Details

See the following code:

modifier runBlueprint(LibTractor.Requisition calldata requisition) {

require(

LibTractor._getBlueprintNonce(requisition.blueprintHash) <

requisition.blueprint.maxNonce,

"TractorFacet: maxNonce reached"

);

require(

requisition.blueprint.startTime <= block.timestamp &&

block.timestamp <= requisition.blueprint.endTime,

"TractorFacet: blueprint is not active"

);

LibTractor._incrementBlueprintNonce(requisition.blueprintHash);

LibTractor._setPublisher(payable(requisition.blueprint.publisher));

LibTractor._resetPublisher();

}

The runBlueprint modifier performs the following checks and actions:

Ensures the current nonce is less than the maximum nonce allowed for the blueprint.
Checks the blueprint's validity period based on the current block timestamp.
Increments the nonce associated with the blueprint hash.
Sets and resets the blueprint publisher.

The issue lies in the nonce check: it only verifies that the nonce is below a maximum value but does not ensure that the nonce is unique or sequential. This can allow for the following attacks:

An attacker can reuse an old nonce that has not reached the maximum value yet.
An attacker can use nonces out of order, potentially disrupting the sequence of operations.

Impact

Reusing an old nonce can lead to the same operation being executed multiple times, potentially causing financial losses or operational disruptions. Executing operations out of order can lead to inconsistencies and unexpected behavior in the contract's state.

Tools Used

Manual Review

Recommendations

To prevent replay and out-of-order execution attacks, the contract should ensure that nonces are both unique and sequential.

Updates

Lead Judging Commences

inallhonesty Lead Judge 11 months ago

Submission Judgement Published

Invalidated

Reason: Non-acceptable severity

Prize pool breakdown

Total prize

250,000 USDC

nSLOC

12,285

20 USDC / LOC

High Medium

220,000 USDC

Low

10,000 USDC

Judges

20,000 USDC

Live

The contest is live. Earn rewards by submitting a finding.

Judging

Submissions are being carefully reviewed by our judges.

View all submissions

Appeals

This is your time to appeal against judgements on your submissions.

Appeals Review

Appeals are being carefully reviewed by our judges.

Rewards Distribution

The contest is complete and the rewards are being distributed.

View results

Support

FAQs

Can't find an answer? Chat with us on Discord, Twitter or Linkedin.