Beanstalk: The Finale

Summary

The initializeDiamondCut function in the LibDiamond library uses delegatecall to execute initialization code on a target contract (_init). This introduces a potential reentrancy vulnerability if the target contract is malicious, allowing it to reenter the diamond during initialization.

Vulnerability Details

• The initializeDiamondCut function is an internal function within LibDiamond, making it accessible to any contract inheriting from the library.

• The function utilizes delegatecall to execute the initialization code specified in the _calldata on the _init contract.

• If the _init contract is malicious, it could reenter the diamond contract during the execution of delegatecall, potentially manipulating the diamond's state before it is fully initialized.

Impact

A successful exploitation of this reentrancy vulnerability could lead to:

• Incorrect State Variables: The attacker could manipulate the diamond's state variables before they are finalized, leading to unexpected and potentially harmful behavior.

• Unauthorized Access: The attacker could gain unauthorized access to sensitive functions or data within the diamond contract.

• Denial of Service: The diamond contract could be rendered unusable due to the corrupted state.

Tools Used

Manual Code Review

Recommendations

Reentrancy Guard: Implement a reentrancy guard pattern in the initializeDiamondCut function. A simple boolean flag can be used to prevent the function from being called recursively during its execution.

Careful Review of _init Contracts: Thoroughly audit any contract passed as the _init argument to ensure it does not contain any malicious code or reentrancy vulnerabilities.