Beanstalk: The Finale
Beanstalk
DeFiHardhatFoundry
250,000 USDC
View results
Previous Next
Submission Details
Severity: high
Invalid

Missing access control when whitelisting tokens will allow a malicious user to whitelist any token

asefewwexa

Line of code

https://github.com/Cyfrin/2024-05-beanstalk-the-finale/blob/df2dd129a878d16d4adc75049179ac0029d9a96b/protocol/contracts/beanstalk/init/reseed/L2/ReseedWhitelist.sol#L24

Summary

Missing access control when whitelisting tokens will allow a malicious user to whitelist any token

Vulnerability Details

function init(address[] calldata tokens, AssetSettings[] calldata asset) external {
for (uint i; i < tokens.length; i++) {
LibWhitelist.whitelistToken(
tokens[i],
asset[i].selector,
asset[i].stalkIssuedPerBdv,
asset[i].stalkEarnedPerSeason,
asset[i].encodeType,
asset[i].gaugePointImplementation.selector,
asset[i].liquidityWeightImplementation.selector,
asset[i].gaugePoints,
asset[i].optimalPercentDepositedBdv,
asset[i].oracleImplementation
);
}
}

this function is missing access control during mitigation and user can front run the init to whitelist any token or malicious token.
then the malicious user can deposit a malicious token to mint BEAN out and dump the BEAN tokens

Impact

Malicious user can whitelist tokens to swap for beans and cause a complete loss of funds to the protocol

Tools Used

manual review

Recommendations

add access control and ensure this function can only be called once, the code should also enforce that the tokens whitelisted in l2 is consistent with the tokens whitelisted in l1.

Updates

Lead Judging Commences

inallhonesty Lead Judge about 1 year ago
Submission Judgement Published
Invalidated
Reason: Incorrect statement

Support

FAQs

Can't find an answer? Chat with us on Discord, Twitter or Linkedin.