Beanstalk: The Finale

Beanstalk

DeFiHardhatFoundry

250,000 USDC

View results

Previous Next

Submission Details

Severity: low

Invalid

Silo deposits can be transferred to `address(0)` which can cause issues in future upgrade

T1MOH

Summary

Silo deposit is ERC1155 token and users can transfer it. There is sanity check that receiver is not address(0) in EIP1155 functions safeTransferFrom() and safeBatchTransferFrom().

However there is no such a requirement in other functions transferDeposit() and transferDeposits().

Potentially it can cause issues in future because after such transfer address(0) will contain deposits and associated Stalk with Roots. At least it can receive non-claimable part of overall yield.

Vulnerability Details

It's hard to prove by words, so I created test PoC that transfer to address(0) executes successfully
https://gist.github.com/T1MOH593/73aca79e01d29fc30c28bfd3ff1d3753

Impact

Deposits belonging to address(0)can cause issues in future upgrades.

Tools Used

Manual Review

Recommendations

Add sanity checks on address(0) in transfers.

Updates

Lead Judging Commences

inallhonesty Lead Judge 12 months ago

Submission Judgement Published

Invalidated

Reason: Too generic

Assigned finding tags:

Silo deposits can be transferred to `address(0)` which can cause issues in future upgrade

Prize pool breakdown

Total prize

250,000 USDC

nSLOC

12,285

20 USDC / LOC

High Medium

220,000 USDC

Low

10,000 USDC

Judges

20,000 USDC

Live

The contest is live. Earn rewards by submitting a finding.

Judging

Submissions are being carefully reviewed by our judges.

View all submissions

Appeals

This is your time to appeal against judgements on your submissions.

Appeals Review

Appeals are being carefully reviewed by our judges.

Rewards Distribution

The contest is complete and the rewards are being distributed.

View results

Support

FAQs

Can't find an answer? Chat with us on Discord, Twitter or Linkedin.