Line of code
https://github.com/Cyfrin/2024-05-beanstalk-the-finale/blob/df2dd129a878d16d4adc75049179ac0029d9a96b/protocol/contracts/beanstalk/init/reseed/L2/ReseedBarn.sol#L66
https://github.com/Cyfrin/2024-05-beanstalk-the-finale/blob/df2dd129a878d16d4adc75049179ac0029d9a96b/protocol/contracts/beanstalk/init/reseed/L2/ReseedBarn.sol#L66
If the ReseedBarn is reinitialized, attacker can set any
s.sys.fert.activeFertilizer = activeFertilizer;
s.sys.fert.fertilizedIndex = fertilizedIndex;
s.sys.fert.unfertilizedIndex = unfertilizedIndex;
s.sys.fert.bpf = bpf;
https://github.com/Cyfrin/2024-05-beanstalk-the-finale/blob/df2dd129a878d16d4adc75049179ac0029d9a96b/protocol/contracts/beanstalk/init/reseed/L2/ReseedInternalBalances.sol#L28
if the ReseedInternalBalances is re-initalized, the internal balance of asset can be aribtrarily set.
https://github.com/Cyfrin/2024-05-beanstalk-the-finale/blob/df2dd129a878d16d4adc75049179ac0029d9a96b/protocol/contracts/beanstalk/init/reseed/L2/ReseedSilo.sol#L77
if the ReseedSilo init function is called multplie times, user can set their balance arbitrarily.
Summary
Certain reseed function can be re-initialized multiple times
Vulnerability Details
Init functions are supposed to be only called once. The problem occurs when important reseed contracts can be initialized more than once, allowing the attacker full control of setting key variables. This will allow an attacker to set an arbitrary balance to himself, change fertilizer amount, set temperature, period and timestamps of gm.
below we can see the values the attacker can set with init on different contracts
in ReseedBarn.sol
s.sys.season.fertilizing = true;
s.sys.fert.activeFertilizer = activeFertilizer;
s.sys.fert.fertilizedIndex = fertilizedIndex;
s.sys.fert.unfertilizedIndex = unfertilizedIndex;
s.sys.fert.bpf = bpf;
In ReseedInternalBalances.sol
function init(
BeanstalkInternalBalance calldata beanBalances,
BeanstalkInternalBalance calldata beanEthBalances,
BeanstalkInternalBalance calldata beanWstethBalances,
BeanstalkInternalBalance calldata beanStableBalances,
BeanstalkInternalBalance calldata urBeanBalances,
BeanstalkInternalBalance calldata urBeanLpBalances
in ReseedSilo.sol
function init(
SiloDeposits calldata beanDeposits,
SiloDeposits calldata beanEthDeposits,
SiloDeposits calldata beanWstEthDeposits,
SiloDeposits calldata bean3CrvDeposits,
SiloDeposits calldata urBeanDeposits,
SiloDeposits calldata urBeanLpDeposits
and finally in ReseedSun.sol
function init(
uint32 season,
uint32 temperature,
uint128 averageGrownStalkPerBdvPerSeason,
uint128 beanToMaxLpGpPerBdvRatio
Impact
Attacker can set important values such as his own balance arbitrarily by re initializing. This will allow the user to drain the protocol.
Tools Used
manual review
Recommendations
do not allow re initialization.
