Beanstalk: The Finale

Summary

MetadataImage contract generates SVG images that include ERC20 token symbols. Albeit, these symbols are not properly escaped before being inserted into the SVG XML. This can bring about generation of invalid XML when token symbols contain special characters, potentially causing rendering issues or broken NFT images as the case may be.

Vulnerability Details

Firstly, let's look at tokenName and getTokenName functions:

tokenName function:

getTokenName function:

The getTokenName function directly returns the ERC20 token's symbol without any escaping or sanitization. This raw symbol is then inserted into the SVG XML in the tokenName function.

If an ERC20 token's symbol contains special XML characters such as '<', '>', '&', '"', or ''', it will result in malformed XML. For instance:

• A token with symbol "A&B" would produce: <text>A&B</text>, which is invalid XML.

• A token with symbol "C<D" would produce: <text>C<D</text>, which is also invalid XML.

This issue affects not only the tokenName function but also the movingTokenAddress function, which uses the token address directly in the SVG without escaping.

Impact

For tokens with symbols containing special XML characters, the generated SVG will be invalid XML. This can lead to broken or improperly rendered NFT images. In cases where the SVG is invalid, some renderers might fail to display the token symbol entirely, leading to a loss of critical information in the NFT metadata.

Tools Used

Manual review

Recommendations

To fix this, we could implement an XML escaping function and then modify the getTokenName function to use this escaping function. Also consider implementing some sort of sanitization/input validation for token symbols and addresses to reject or handle tokens with excessively long or complex symbols that might cause issues even after escaping.