Submission Details
Severity:
Silo uses `msg.sender` instead of Tractor publisher in some case
Silo uses msg.sender instead of Tractor publisher in some case
Summary
Silo uses Tractor to allow execution of actions on behalf of another user. That is why it uses Tractor publisher instead of msg.sender in Silo. Because in this flow msg.sender is always address(this) (because TractorFacet is facet of Beanstalk Diamond)
As a result it emits incorrect EIP1155 event when deposit is removed from user:
// "removing" deposits is equivalent to "burning" a batch of ERC1155 tokens.
if (emission == ERC1155Event.EMIT_BATCH_EVENT) {
emit TransferBatch(msg.sender, account, address(0), removedDepositIDs, amounts);
}
Vulnerability Details
See summary above.
Impact
Incorrect operator is emitted in EIP1155 event when deposit is removed from user.
Tools Used
Manual Review
Recommendations
Use Tractor's publisher:
if (emission == ERC1155Event.EMIT_BATCH_EVENT) {
- emit TransferBatch(msg.sender, account, address(0), removedDepositIDs, amounts);
+ emit TransferBatch(LibTractor._user(), account, address(0), removedDepositIDs, amounts);
}
Updates
Lead Judging Commences
inallhonesty 12 months ago
Submission Judgement Published Reason: Non-acceptable severity
Assigned finding tags:
Incorrect `operator` is emitted in EIP1155 event when deposit is removed from user.
Prize pool breakdown
Total prize
250,000 USDC
nSLOC
12,28520 USDC / LOC
220,000 USDC
10,000 USDC
20,000 USDC
Live
The contest is live. Earn rewards by submitting a finding.
Appeals
This is your time to appeal against judgements on your submissions.
Appeals Review
Appeals are being carefully reviewed by our judges.