Beanstalk: The Finale

Beanstalk

DeFiHardhatFoundry

250,000 USDC

View results

Previous Next

Submission Details

Severity: medium

Invalid

Minimum transaction amount not enforced allowing DoS attack

bughunter00

Summary

A vulnerability in the Beanstalk protocol's SiloFacet.sol allows attackers to perform a temporary Denial of Service attack by exploiting the lack of a minimum transaction amount for deposits and withdrawals. This could lead to significant disruption of the protocol's usability.

Vulnerability Details

The issue arises because there are no restrictions on the number of deposit and withdrawDeposit function requests a single address can make, and also these functions do not enforce a minimum transaction amount. This omission allows an attacker to repeatedly deposit or withdraw dust amounts (e.g., 1 wei), flooding the network with transactions and causing a temporary DoS for usage of these functions for genuine users.

function deposit(address token, uint256 _amount, LibTransfer.From mode)

external

payable

fundsSafu

noSupplyChange

noOutFlow

nonReentrant

mowSender(token)

returns (uint256 amount, uint256 _bdv, int96 stem)

{

// @audit-issue As there is no min deposit amount an attacker could temporarily DoS this function by depositing dust amounts to the protocol.

amount = LibTransfer.receiveToken(IERC20(token), _amount, LibTractor._user(), mode);

(_bdv, stem) = _deposit(LibTractor._user(), token, amount);

}

function withdrawDeposit(address token, int96 stem, uint256 amount, LibTransfer.To mode)

external

payable

fundsSafu

noSupplyChange

oneOutFlow(token)

mowSender(token)

nonReentrant

{

// @audit-issue Temporary DoS if attacker sends multiple transactions to withdraw 1 wei ...

_withdrawDeposit(LibTractor._user(), token, stem, amount);

LibTransfer.sendToken(IERC20(token), amount, LibTractor._user(), mode);

}

Impact

An attacker can significantly disrupt the protocol's operations by executing numerous low-value transactions, causing:

Inaccessibility of funds: In the worst-case scenario, especially for withdrawals, users may be unable to withdraw their funds when needed, leading to potential financial loss or inability to participate in other financial activities.
Reduced Protocol Usability: Continuous attacks could lead to users losing confidence in the protocol's reliability and security.
Increased gas costs for genuine users: Legitimate users will face higher gas fees as their transactions compete with the attacker's flood of transactions.

Tools Used

Manual code review
Solodit (checklist: SOL-AM-DOSA-2)

Recommendations

To mitigate this vulnerability, it is recommended to implement a minimum amount requirement for both the deposit and withdrawDeposit functions to ensure that transactions below a certain value are rejected. Additionally, limit the number of withdrawal/deposit requests per address.

Updates

Lead Judging Commences

inallhonesty Lead Judge about 1 year ago

Submission Judgement Published

Invalidated

Reason: Incorrect statement

Prize pool breakdown

Total prize

250,000 USDC

nSLOC

12,285

20 USDC / LOC

High Medium

220,000 USDC

Low

10,000 USDC

Judges

20,000 USDC

Live

The contest is live. Earn rewards by submitting a finding.

Judging

Submissions are being carefully reviewed by our judges.

View all submissions

Appeals

This is your time to appeal against judgements on your submissions.

Appeals Review

Appeals are being carefully reviewed by our judges.

Rewards Distribution

The contest is complete and the rewards are being distributed.

View results

Support

FAQs

Can't find an answer? Chat with us on Discord, Twitter or Linkedin.