Beanstalk: The Finale

Beanstalk

DeFiHardhatFoundry

250,000 USDC

View results

Previous Next

Submission Details

Severity: low

Invalid

Lack of Duplicate Token Check Leads to Potential Overwrites and Inconsistencies in the addUnripeToken function

lordofterra

Summary

The addUnripeToken function in the UnripeFacet allows the addition of new Unripe Tokens. However, it does not check if the unripeToken already exists in s.sys.silo.unripeSettings, leading to potential overwrites and inconsistencies. This issue can be exploited by malicious users to cause operational disruptions and financial losses, undermining the protocol's integrity and user trust.

Proof of concept

1: Initial Addition of Unripe Token:

i: A malicious user adds a new Unripe Token with legitimate parameters

unripeToken = 0xTokenAddress1
underlyingToken = 0xUnderlyingToken1
root = 0xRoot1

ii: This creates an entry in s.sys.silo.unripeSettings for 0xTokenAddress1 with the specified settings.

2: Overwriting Existing Unripe Token:

i: The malicious user calls the addUnripeToken function again with the same unripeToken but different parameters:

unripeToken = 0xTokenAddress1
underlyingToken = 0xUnderlyingToken2
root = 0xRoot2

ii: Since there is no check for existing tokens, this overwrites the previous settings for 0xTokenAddress1 with the new parameters.

3: Inconsistency Creation:

The protocol now holds incorrect or inconsistent data for 0xTokenAddress1.
Users who expected 0xTokenAddress1 to convert to 0xUnderlyingToken1 now face unexpected behavior, receiving 0xUnderlyingToken2 instead.
Claims verification using the Merkle root is disrupted, potentially allowing fraudulent claims.

4: Repeated Exploitation:

The malicious user can repeat this process multiple times, each time changing the underlying token and Merkle root, causing continuous disruptions and inconsistencies.

5: Operational Disruption:

By exploiting this repeatedly, the malicious user can cause significant operational issues, making it difficult for the protocol to maintain reliable and consistent token settings.

Impact

Overwriting existing settings for Unripe Tokens can lead to inconsistencies and potential security vulnerabilities.
Malicious users could exploit this by repeatedly adding the same Unripe Token with different settings, causing operational disruptions and financial losses.

Test

// SPDX-License-Identifier: MIT

pragma solidity ^0.8.20;

import "forge-std/Test.sol";

import "../contracts/UnripeFacet.sol";

import "../contracts/libraries/LibAppStorage.sol";

import "@openzeppelin/contracts/token/ERC20/ERC20.sol";

contract TestDuplicateUnripeToken is Test {

UnripeFacet unripeFacet;

ERC20 unripeToken;

AppStorage s;

function setUp() public {

unripeFacet = new UnripeFacet();

unripeToken = new ERC20("Unripe Token", "URT");

// Initialize other necessary contracts and states

}

function testDuplicateUnripeTokenAddition() public {

address unripeTokenAddress = address(unripeToken);

address underlyingToken = address(new ERC20("Ripe Token", "RPT"));

bytes32 root = keccak256(abi.encodePacked("merkle root"));

// Add Unripe Token for the first time

unripeFacet.addUnripeToken(unripeTokenAddress, underlyingToken, root);

// Try adding the same Unripe Token again with different underlyingToken and root

address differentUnderlyingToken = address(new ERC20("Different Ripe Token", "DRPT"));

bytes32 differentRoot = keccak256(abi.encodePacked("different merkle root"));

vm.expectRevert("Unripe token already exists");

unripeFacet.addUnripeToken(unripeTokenAddress, differentUnderlyingToken, differentRoot);

}

Tools Used

Manual review

Recommendations

Implement a check to ensure that the unripeToken does not already exist in the settings before adding

function addUnripeToken(

address unripeToken,

address underlyingToken,

bytes32 root

) external payable fundsSafu noNetFlow noSupplyChange nonReentrant {

LibDiamond.enforceIsOwnerOrContract();

AppStorage storage s = LibAppStorage.diamondStorage();

// Check if the Unripe Token already exists

require(s.sys.silo.unripeSettings[unripeToken].underlyingToken == address(0), "Unripe token already exists");

// Add the Unripe Token settings

s.sys.silo.unripeSettings[unripeToken] = UnripeTokenSettings({

underlyingToken: underlyingToken,

merkleRoot: root,

balanceOfUnderlying: 0 // Initially set to 0 or some default value

});

emit AddUnripeToken(unripeToken, underlyingToken, root);

}

Updates

Lead Judging Commences

inallhonesty Lead Judge 12 months ago

Submission Judgement Published

Invalidated

Reason: Non-acceptable severity

Assigned finding tags:

Informational/Gas

Invalid as per docs https://docs.codehawks.com/hawks-auditors/how-to-determine-a-finding-validity

Prize pool breakdown

Total prize

250,000 USDC

nSLOC

12,285

20 USDC / LOC

High Medium

220,000 USDC

Low

10,000 USDC

Judges

20,000 USDC

Live

The contest is live. Earn rewards by submitting a finding.

Judging

Submissions are being carefully reviewed by our judges.

View all submissions

Appeals

This is your time to appeal against judgements on your submissions.

Appeals Review

Appeals are being carefully reviewed by our judges.

Rewards Distribution

The contest is complete and the rewards are being distributed.

View results

Support

FAQs

Can't find an answer? Chat with us on Discord, Twitter or Linkedin.