Submission Details
Severity:
L2ContractMigrationFacet.sol uses incorrect chainId in EIP712 signature
Summary
L2ContractMigrationFacet.sol implements EIP712. For some reason it requires signature to be signed with chainId = 1 (Mainnet). However protocol is migrated to L2 so it should use chainId of current chain instead.
Vulnerability Details
Here you can see it uses legacyChainId when calculates domain separator:
https://github.com/Cyfrin/2024-05-beanstalk-the-finale/blob/df2dd129a878d16d4adc75049179ac0029d9a96b/protocol/contracts/beanstalk/silo/L2ContractMigrationFacet.sol#L237
function _domainSeparatorV4() internal view returns (bytes32) {
return
keccak256(
abi.encode(
EIP712_TYPE_HASH,
MIGRATION_HASHED_NAME,
MIGRATION_HASHED_VERSION,
C.getLegacyChainId(),
address(this)
)
);
}
Impact
L2ContractMigrationFacet.sol doesn't conform to EIP712.
Tools Used
Manual Review
Recommendations
Use current chainId:
function _domainSeparatorV4() internal view returns (bytes32) {
return
keccak256(
abi.encode(
EIP712_TYPE_HASH,
MIGRATION_HASHED_NAME,
MIGRATION_HASHED_VERSION,
- C.getLegacyChainId(),
+ block.chainId,
address(this)
)
);
}
Updates
Lead Judging Commences
inallhonesty 11 months ago
Submission Judgement Published Reason: Known issue
Assigned finding tags:
Replay attack in case of hard fork - Hardcoded chainId 712
Appeal created
T1MOH
11 months ago
inallhonesty
11 months ago
inallhonesty 10 months ago
Submission Judgement Published Reason: Known issue
Assigned finding tags:
Replay attack in case of hard fork - Hardcoded chainId 712
Prize pool breakdown
Total prize
250,000 USDC
nSLOC
12,28520 USDC / LOC
220,000 USDC
10,000 USDC
20,000 USDC
Live
The contest is live. Earn rewards by submitting a finding.
Appeals
This is your time to appeal against judgements on your submissions.
Appeals Review
Appeals are being carefully reviewed by our judges.