Beanstalk: The Finale

Beanstalk

DeFiHardhatFoundry

250,000 USDC

View results

Previous Next

Submission Details

Severity: medium

Invalid

withdrawDeposits send tokens with no checks and no reentry guard for external available _mow

barneyetherguardian

Summary

withdrawDeposits has nonReenter guard on it, but not every funtion which is accessible external, some exploit might be possible by using _moew, endTotalGermination, claimFertilized

or any other function added by diamond proxy,
especially that with safe transfer wich no checks , and possibility
any token ERC20 can be whtielisted by bean Governance in future,

that is huge opening.

Vulnerability Details

We start with withdraw deposit

https://github.com/Cyfrin/2024-05-beanstalk-the-finale/blob/4e0ad0b964f74a1b4880114f4dd5b339bc69cd3e/protocol/contracts/beanstalk/silo/SiloFacet/SiloFacet.sol#L107-L115

LibTransfer.sendToken has no check of result in this contract SiloFacet.sol
which triggers safe transfer with no checks.

Impact

Can try siphon the whole contracts deposits.

Tools Used

Slither , hardhat, code analyze.

Recommendations

apply some data checks to the call of funtion in library

try LibTransfer.sendToken(IERC20(token), amount, recipient, mode)

{ return

true; }

catch {

return false;

}

// add to function with reentrancy2 guard

_moew nonReentrant2 { // Reentrancy guard applied

especially (like second reentry guard if withdraw and others use first reentry guard flag) if thats always true:

/**

* @dev Claims the Grown Stalk for `account` and applies it to their Stalk

* balance. Also handles Season of Plenty related rain.

* This is why `_mow()` must be called ___ before any actions that change Seeds,

* including:

* - {SiloFacet-deposit}

* - {SiloFacet-withdrawDeposit}

* - {SiloFacet-withdrawDeposits}

* - {_plant}

* - {SiloFacet-transferDeposit(s)}

function _mow(address account, address token) external {

https://github.com/Cyfrin/2024-05-beanstalk-the-finale/blob/4e0ad0b964f74a1b4880114f4dd5b339bc69cd3e/protocol/contracts/libraries/Silo/LibSilo.sol#L413C1-L425C61

Updates

Lead Judging Commences

inallhonesty Lead Judge about 1 year ago

Submission Judgement Published

Invalidated

Reason: Incorrect statement

Prize pool breakdown

Total prize

250,000 USDC

nSLOC

12,285

20 USDC / LOC

High Medium

220,000 USDC

Low

10,000 USDC

Judges

20,000 USDC

Live

The contest is live. Earn rewards by submitting a finding.

Judging

Submissions are being carefully reviewed by our judges.

View all submissions

Appeals

This is your time to appeal against judgements on your submissions.

Appeals Review

Appeals are being carefully reviewed by our judges.

Rewards Distribution

The contest is complete and the rewards are being distributed.

View results

Support

FAQs

Can't find an answer? Chat with us on Discord, Twitter or Linkedin.