Beanstalk: The Finale

Beanstalk

DeFiHardhatFoundry

250,000 USDC

View results

Previous Next

Submission Details

Severity: high

Invalid

TokenFacet.sol Failure to comply with the EIP-2612

kwakudr

Summary

TokenFacet.sol Failure to comply with the EIP-2612 could lead to reverts

Vulnerability Details

function permitToken(

address owner,

address spender,

address token,

uint256 value,

uint256 deadline,

uint8 v,

bytes32 r,

bytes32 s

) external payable fundsSafu noNetFlow noSupplyChange nonReentrant {

LibTokenPermit.permit(owner, spender, token, value, deadline, v, r, s);

LibTokenApprove.approve(owner, spender, IERC20(token), value);

}

https://github.com/Cyfrin/2024-05-beanstalk-the-finale/blob/4e0ad0b964f74a1b4880114f4dd5b339bc69cd3e/protocol/contracts/beanstalk/farm/TokenFacet.sol#L154C5-L166C6

According to Eip2612 Doc: Compliant contracts must implement 3 new functions in addition to EIP-20: function permit(address owner, address spender, uint value, uint deadline, uint8 v, bytes32 r, bytes32 s) external function nonces(address owner) external view returns (uint) function DOMAIN_SEPARATOR() external view returns (bytes32)

The DOMAIN_SEPARATOR should be unique to the contract and chain to prevent replay attacks from other domains.

https://eips.ethereum.org/EIPS/eip-2612

Compliant contracts must implement 3 new functions in addition to EIP-20:

function permit(address owner, address spender, uint value, uint deadline, uint8 v, bytes32 r, bytes32 s) external

function nonces(address owner) external view returns (uint)

function DOMAIN_SEPARATOR() external view returns (bytes32)

The semantics of which are as follows:

For all addresses owner, spender, uint256s value, deadline and nonce, uint8 v, bytes32 r and s, a call to permit(owner, spender, value, deadline, v, r, s) will set allowance[owner][spender] to value, increment nonces[owner] by 1, and emit a corresponding Approval event, if and only if the following conditions are met:

The current blocktime is less than or equal to deadline.
owner is not the zero address.
nonces[owner] (before the state update) is equal to nonce.
r, s and v is a valid secp256k1 signature from owner of the message:

If any of these conditions are not met, the permit call must revert.

keccak256(abi.encodePacked(

hex"1901",

DOMAIN_SEPARATOR,

keccak256(abi.encode(

keccak256("Permit(address owner,address spender,uint256 value,uint256 nonce,uint256 deadline)"),

owner,

spender,

value,

nonce,

deadline))

))

Impact

In TokenFacet.sol, there is no implementation of DOMAIN_SEPARATOR(). The contract will also be deployed on the L2 potentially, which poses a potential replay attack vulnerability.

Tools Used

Manual Review

Recommendations

Properly implement DOMAIN_SEPARATOR()

https://eips.ethereum.org/EIPS/eip-2612

Updates

Lead Judging Commences

inallhonesty Lead Judge 11 months ago

Submission Judgement Published

Invalidated

Reason: Non-acceptable severity

Prize pool breakdown

Total prize

250,000 USDC

nSLOC

12,285

20 USDC / LOC

High Medium

220,000 USDC

Low

10,000 USDC

Judges

20,000 USDC

Live

The contest is live. Earn rewards by submitting a finding.

Judging

Submissions are being carefully reviewed by our judges.

View all submissions

Appeals

This is your time to appeal against judgements on your submissions.

Appeals Review

Appeals are being carefully reviewed by our judges.

Rewards Distribution

The contest is complete and the rewards are being distributed.

View results

Support

FAQs

Can't find an answer? Chat with us on Discord, Twitter or Linkedin.