Beanstalk: The Finale

Summary

As stated in the contest's README, all the the ERC20 tokens should be compatible with the Beanstalk protocol. However that's not the case with the WETH token, which is ERC20-wrapped ETH token.

Vulnerability Details

A token to be able to interact with the protocol, it must on the Deposit Whitelist. However additional tokens can be added to the whitelist through the Beanstalk governance (the Silo), here are the criterias. So if the community proposes WETH token and it's being approved, the project must integrate them in the system. However WETH token will not work with permit functionality seen here in TokenSupportFacet.sol:

WETH token doesn't have implemented permit function. That means it will try to call function that doesn't exist, which will proceed the call to the fallback() function:

Basically the fallback function is the deposit() function, which will not cause any material consequences, but it will allow it's calling function's execution to continue as it doesn't fail. Simply the protocol will not function properly.

Leaving some additional info, where exactly WETH + permit() was the reason which lead to Multichain's (previously AnySwap) exploit:
https://medium.com/zengo/without-permit-multichains-exploit-explained-8417e8c1639b

Impact

• Impact: Medium, as it can lead to unintended behavior, permitERC20() will not work properly

• Likelihood: Medium, as it requires Beanstalk DAO's acceptance.

• Overall: Medium

Tools Used

Manual Review

Recommendations

Maybe use try/catch blocks to check if the token supports the permit function before calling it.