Beanstalk: The Finale

Beanstalk

DeFiHardhatFoundry

250,000 USDC

View results

Previous Next

Submission Details

Severity: medium

Valid

`LibTractor.sol`: Typed structured data hash is calculated incorrectly leading to wrong hash calculations

0xshoonya

Summary

Incorrect definition of BLUEPRINT_TYPE_HASH will result in an incorrectly computed hash in the _getBlueprintHash function.

Vulnerability Details

The BLUEPRINT_TYPE_HASH is defined as:
LibTractor.sol#L28-L31

bytes32 public constant BLUEPRINT_TYPE_HASH =

keccak256(

"Blueprint(address publisher,bytes data,bytes operatorData,uint256 maxNonce,uint256 startTime,uint256 endTime)"

);

And the Blueprint struct is defined as:
LibTractor.sol#L43-L50

struct Blueprint {

address publisher;

bytes data;

bytes32[] operatorPasteInstrs;

uint256 maxNonce;

uint256 startTime;

uint256 endTime;

}

EIP-712 standard requires that the data types, order, and names of the fields in the type hash string must match exactly with the struct.

bytes32[] operatorPasteInstrs is used in the struct and bytes operatorData is used in the type hash.

The BLUEPRINT_TYPE_HASH calculated above is used to calculate blueprint hash
LibTractor.sol#L139-L154

function _getBlueprintHash(Blueprint calldata blueprint) internal view returns (bytes32) {

return

_hashTypedDataV4(

keccak256(

abi.encode(

BLUEPRINT_TYPE_HASH,

blueprint.publisher,

keccak256(blueprint.data),

keccak256(abi.encodePacked(blueprint.operatorPasteInstrs)),

blueprint.maxNonce,

blueprint.startTime,

blueprint.endTime

)

);

}

Impact

Since the BLUEPRINT_TYPE_HASH does not accurately represent the Blueprint struct, the resulting hash will be incorrect.
Any signatures generated using this incorrect hash will be invalid.

Tools Used

Manual Review

Recommendations

Update the BLUEPRINT_TYPE_HASH to:

bytes32 public constant BLUEPRINT_TYPE_HASH =

keccak256(

"Blueprint(address publisher,bytes data,bytes32[] operatorPasteInstrs,uint256 maxNonce,uint256 startTime,uint256 endTime)"

);

Updates

Lead Judging Commences

inallhonesty Lead Judge 11 months ago

Submission Judgement Published

Validated

Assigned finding tags:

The declaration and use of `LibTractor::BLUEPRINT_TYPE_HASH` is inconsistent with the field name of the structure `struct Blueprint`

Prize pool breakdown

Total prize

250,000 USDC

nSLOC

12,285

20 USDC / LOC

High Medium

220,000 USDC

Low

10,000 USDC

Judges

20,000 USDC

Live

The contest is live. Earn rewards by submitting a finding.

Judging

Submissions are being carefully reviewed by our judges.

View all submissions

Appeals

This is your time to appeal against judgements on your submissions.

Appeals Review

Appeals are being carefully reviewed by our judges.

Rewards Distribution

The contest is complete and the rewards are being distributed.

View results

Support

FAQs

Can't find an answer? Chat with us on Discord, Twitter or Linkedin.