Beanstalk: The Finale

Beanstalk

DeFiHardhatFoundry

250,000 USDC

View results

Previous Next

Submission Details

Severity: medium

Valid

`BLUEPRINT_TYPE_HASH` is computed wrong

draiakoo

Summary

The types of data used to compute the BLUEPRINT_TYPE_HASH does not match with the actual types used to obtain the signature

Relevant GitHub Links:

https://github.com/Cyfrin/2024-05-beanstalk-the-finale/blob/main/protocol/contracts/libraries/LibTractor.sol#L30

Vulnerability Details

Currently the BLUEPRINT_TYPE_HASH is computed as follows:

"Blueprint(address publisher,bytes data,bytes operatorData,uint256 maxNonce,uint256 startTime,uint256 endTime)"

However, when the blueprint hash is computed, it uses the following types of data:

function _getBlueprintHash(Blueprint calldata blueprint) internal view returns (bytes32) {

return

_hashTypedDataV4(

keccak256(

abi.encode(

BLUEPRINT_TYPE_HASH,

blueprint.publisher, // address

keccak256(blueprint.data), // bytes

keccak256(abi.encodePacked(blueprint.operatorPasteInstrs)), // bytes32[]

blueprint.maxNonce, // uint256

blueprint.startTime, // uint256

blueprint.endTime // uint256

)

);

}

As we can see, there is a type discrepancy in the third component of the type hash. In the type hash there is the bytes operatorData meanwhile in the signature hash, it uses a bytes32[] operatorPasteInstrs.

Impact

Medium
Having a discrepancy in the type of data can make other integrators of the protocol to sign data that will not match with the contract implementation.

Tools Used

Manual review

Recommendations

bytes32 public constant BLUEPRINT_TYPE_HASH =

keccak256(

- "Blueprint(address publisher,bytes data,bytes operatorData,uint256 maxNonce,uint256 startTime,uint256 endTime)"

+ "Blueprint(address publisher,bytes data,bytes32[] operatorPasteInstrs,uint256 maxNonce,uint256 startTime,uint256 endTime)"

);

Updates

Lead Judging Commences

inallhonesty Lead Judge about 1 year ago

Submission Judgement Published

Validated

Assigned finding tags:

The declaration and use of `LibTractor::BLUEPRINT_TYPE_HASH` is inconsistent with the field name of the structure `struct Blueprint`

Prize pool breakdown

Total prize

250,000 USDC

nSLOC

12,285

20 USDC / LOC

High Medium

220,000 USDC

Low

10,000 USDC

Judges

20,000 USDC

Live

The contest is live. Earn rewards by submitting a finding.

Judging

Submissions are being carefully reviewed by our judges.

View all submissions

Appeals

This is your time to appeal against judgements on your submissions.

Appeals Review

Appeals are being carefully reviewed by our judges.

Rewards Distribution

The contest is complete and the rewards are being distributed.

View results

Support

FAQs

Can't find an answer? Chat with us on Discord, Twitter or Linkedin.