Typed structured data hash used for signing permissions is calculated incorrectly
Summary
Context:
Tractor is a new feature of Beanstalk that allow users to authorize third parties to execute operation on their behalf. TractorFacet.sol relies on LibTractor.sol to generate the authorizations by implementing Typed Structured Data Hash according to EIP-712.
Users need to sign a blueprint that represent the set of instructions allowed to be performed by the third party, the problem is that the BLUEPRINT_TYPE_HASH does not uses the same types declared in the struct Blueprint, resulting in the generation of an incorrect typed structured data hash for signatures.
Vulnerability Details
Blueprint is defined as follows:
According to EIP-712 the Typehash is calculated as follows: typeHash = keccak256(encodeType(typeOf(s))).
Where encodeType is the type of a struct that is encoded as: name ‖ "(" ‖ member₁ ‖ "," ‖ member₂ ‖ "," ‖ … ‖ memberₙ ")".
The Typehash is calculated like this:
As you can see the third member is of type bytes when in fact is of type bytes32[].
Impact
Generating an incorrect typed structured data hash can case issues to tools or wallets that are EIP-712 compliant to integrate with Beanstalk.
Tools Used
Manual review.
Recommendations
Modify BLUEPRINT_TYPE_HASH to generate the hash with the correct types so it points to the correct data structure.
Lead Judging Commences
The declaration and use of `LibTractor::BLUEPRINT_TYPE_HASH` is inconsistent with the field name of the structure `struct Blueprint`
Prize pool breakdown
Live
The contest is live. Earn rewards by submitting a finding.
Appeals
This is your time to appeal against judgements on your submissions.
Appeals Review
Appeals are being carefully reviewed by our judges.