Beanstalk: The Finale
Beanstalk
DeFiHardhatFoundry
250,000 USDC
View results
Previous Next
Submission Details
Severity: low
Invalid

no access conditions for _mow used in sequence with withdrawDeposit and withdrawDeposits and {SiloFacet-transferDeposit(s)}

barneyetherguardian

Summary
there is no access conditions implementation:

https://github.com/Cyfrin/2024-05-beanstalk-the-finale/blob/4e0ad0b964f74a1b4880114f4dd5b339bc69cd3e/protocol/contracts/libraries/Silo/LibSilo.sol#L413C1-L425C61

* This is why `_mow()` must be called before any actions that change Seeds,
* including:
* - {SiloFacet-deposit}
* - {SiloFacet-withdrawDeposit}
* - {SiloFacet-withdrawDeposits}
* - {_plant}
* - {SiloFacet-transferDeposit(s)}

Vulnerability Details

Possible of breaking rules of protocol.

Impact

Claims the Grown Stalk for account and applies it to their Stalk
* balance. Also handles Season of Plenty related rain.
*
* This is why _mow() must be called before any actions that change Seeds,

this is not fullfilled

Tools Used

slither, echidna , hardhat , foundry

Recommendations

grant to tx.origin temporary role as _mowTrigerer ( grantRole("MOWTRIGERER",tx.origin) or similar, and check that before allowing those functions

    • {SiloFacet-deposit}

    • {SiloFacet-withdrawDeposit}

    • {SiloFacet-withdrawDeposits}

    • {_plant}

    • {SiloFacet-transferDeposit(s)}

    • Then revoke this role after action is performed revokeRole("MOWTRIGERER",tx.origin)

Updates

Lead Judging Commences

inallhonesty Lead Judge 11 months ago
Submission Judgement Published
Invalidated
Reason: Lack of quality
Assigned finding tags:

Quality

Support

FAQs

Can't find an answer? Chat with us on Discord, Twitter or Linkedin.