Relevant GitHub Links

https://github.com/Cyfrin/2024-05-beanstalk-the-finale/blob/8c8710df547f7d7c5dd82c5381eb6b34532e4484/protocol/contracts/beanstalk/silo/L2ContractMigrationFacet.sol#L101
https://github.com/Cyfrin/2024-05-beanstalk-the-finale/blob/8c8710df547f7d7c5dd82c5381eb6b34532e4484/protocol/contracts/beanstalk/silo/L2ContractMigrationFacet.sol#L128

Summary

Multiple redemptions can be made based on one leaf across multiple chains and forks.

Vulnerability Details

The redeemDepositsAndInternalBalances function allows an contract that owns deposits and bean-asset internal balances to redeem onto an address on L2. The function uses merkleproof to verify the leaf in the verifyDepositsAndInternalBalances function.

As can be seen from the leaf, it is missing the chainid parameter, and also doesn't have the EIP-712 protection. One thing to note is that merkle trees are long-lived, so therefore, they need to be able to handle forks correctly and must be chain specific so as to make it impossible for someone to claim on various chains. A malicious user can simply monitors the mempool across different chains, then when a recipient submits a claim transaction on one chain, the attacker replicates it on another chain where the L2ContractMigrationFacet is also deployed. This allows the attacker to potentially claim tokens on the other chain before the legitimate recipient. During a chain fork, the attacker can monitor the transactions on the shorter fork. If a recipient’s claim transaction appears on the shorter fork, the attacker can replicate it on the longer fork. The attacker's transaction on the longer fork is processed, allowing them to claim tokens before the legitimate recipient when the shorter fork is discarded.

Impact

Potential loss of funds due to cross chain redemptions.

Tools Used

Manual Review

Recommendations

Add the chainId to the leaf hash.