Beanstalk: The Finale

Beanstalk

DeFiHardhatFoundry

250,000 USDC

View results

Previous Next

Submission Details

Severity: high

Invalid

Data Corruption Risk in LibReceiving's Interaction with LibAppStorage

dunleo

Summary

this vulnerability is associated with the risk of data corruption due to improper access or modification of data structures in LibAppStorage by LibReceiving.

Vulnerability Details

The vulnerability exists because the LibAppStorage library exposes the AppStorage storage slot directly through the diamondStorage function. This allows functions within the LibReceiving library to access and modify the AppStorage data structures without adequate validation or synchronization, leading to potential data corruption. This function allows any calling function within the LibReceiving library to access and modify the storage directly, which can lead to unintended modifications and potential data corruption. For example, the siloReceive, fieldReceive, and barnReceive functions in LibReceiving directly modify the AppStorage state without additional validation or synchronization, leading to potential data corruption.

Impact

The impact of this vulnerability includes:

Inconsistent state data, leading to incorrect accounting and processing of Beans in the system.
Potential loss or misallocation of user funds.
Difficulty in tracking and auditing the state changes, leading to reduced trust in the system's integrity.

Tools Used

Manual code review

Recommendations

Implement Access Controls: Introduce access controls to ensure that only authorized functions can modify the AppStorage data structures.
Add Validation Checks: Before modifying any state variables, add checks to validate the data and ensure consistency.

Proof of Concept

function siloReceive(uint256 shipmentAmount, bytes memory) private {
AppStorage storage s = LibAppStorage.diamondStorage();

// Direct modification of state variables
s.sys.silo.earnedBeans += shipmentAmount.toUint128();
s.sys.silo.stalk += (shipmentAmount * C.STALK_PER_BEAN);
s.sys.silo.balances[C.BEAN].deposited += uint128(shipmentAmount);
s.sys.silo.balances[C.BEAN].depositedBdv += uint128(shipmentAmount);

// Without checks, concurrent transactions may lead to inconsistent state
emit Receipt(ShipmentRecipient.SILO, shipmentAmount, abi.encode(""));

}

Updates

Lead Judging Commences

inallhonesty Lead Judge about 1 year ago

Submission Judgement Published

Invalidated

Reason: Too generic

Prize pool breakdown

Total prize

250,000 USDC

nSLOC

12,285

20 USDC / LOC

High Medium

220,000 USDC

Low

10,000 USDC

Judges

20,000 USDC

Live

The contest is live. Earn rewards by submitting a finding.

Judging

Submissions are being carefully reviewed by our judges.

View all submissions

Appeals

This is your time to appeal against judgements on your submissions.

Appeals Review

Appeals are being carefully reviewed by our judges.

Rewards Distribution

The contest is complete and the rewards are being distributed.

View results

Support

FAQs

Can't find an answer? Chat with us on Discord, Twitter or Linkedin.