Beanstalk: The Finale

Beanstalk

DeFiHardhatFoundry

250,000 USDC

View results

Previous Next

Submission Details

Severity: medium

Invalid

High Gas Consumption in Harvest Function Leading to Network Congestion and Denial of Service (DoS)

lordofterra

Summary

The _harvestPlot function in the FieldFacet, when called through the harvest function with large arrays of plots, can lead to significant gas consumption. An attacker, who does not care about gas expenditures, can exploit this by repeatedly calling the harvest function with maximum plot arrays. This can cause the protocol to hit the Ethereum block gas limit, resulting in network congestion, increased gas prices, and potential denial of service for legitimate users.

Proof of concept

1: The attacker identifies the harvest function and prepares a large array of plot indices.

2: The attacker repeatedly calls the harvest function with the large array, aiming to consume as much gas as possible.

3: Each call to _harvestPlot within harvest involves multiple state-changing operations, consuming significant gas. By filling the block gas limit, the attacker causes network congestion.

##Test

// SPDX-License-Identifier: MIT

pragma solidity ^0.8.20;

import {Test} from "forge-std/Test.sol";

import {Beanstalk} from "../src/Beanstalk.sol"; // Assume Beanstalk is the contract containing harvest function

contract HarvestGasLimitTest is Test {

Beanstalk beanstalk;

address attacker;

function setUp() public {

beanstalk = new Beanstalk();

attacker = address(0x1234); // Simulated attacker address

// Assume necessary setup for the beanstalk contract

}

function testHarvestGasLimit() public {

uint256 fieldId = 1;

uint256[] memory plots = new uint256[](100); // Max batch size for demonstration

// Populate plots array with large number of indices

for (uint256 i = 0; i < plots.length; i++) {

plots[i] = i;

}

// Simulate repeated harvest calls by the attacker

vm.startPrank(attacker);

for (uint256 j = 0; j < 10; j++) {

beanstalk.harvest(fieldId, plots, LibTransfer.To.EXTERNAL);

}

vm.stopPrank();

}

Impact

1: Legitimate users may face difficulty in interacting with the protocol due to high gas prices and delayed transaction processing.

2: Network congestion can lead to higher gas prices, making transactions more expensive for all users.

Tools Used

Manual review

Recommendations

1: Restrict the number of plots processed in a single transaction to reduce gas consumption per transaction.

2: Implement rate limiting to control the frequency of high-cost transactions by a single address.

3: Optimize functions to reduce gas consumption, making it less feasible for an attacker to exploit high gas usage.

Updates

Lead Judging Commences

inallhonesty Lead Judge about 1 year ago

Submission Judgement Published

Invalidated

Reason: Incorrect statement

Appeal created

lordofterra Submitter

about 1 year ago

inallhonesty Lead Judge

about 1 year ago

inallhonesty Lead Judge about 1 year ago

Submission Judgement Published

Invalidated

Reason: Incorrect statement

Prize pool breakdown

Total prize

250,000 USDC

nSLOC

12,285

20 USDC / LOC

High Medium

220,000 USDC

Low

10,000 USDC

Judges

20,000 USDC

Live

The contest is live. Earn rewards by submitting a finding.

Judging

Submissions are being carefully reviewed by our judges.

View all submissions

Appeals

This is your time to appeal against judgements on your submissions.

Appeals Review

Appeals are being carefully reviewed by our judges.

Rewards Distribution

The contest is complete and the rewards are being distributed.

View results

Support

FAQs

Can't find an answer? Chat with us on Discord, Twitter or Linkedin.