BlueprintHash will cause DoS due to hash collision
Summary
The current data used to generate the Blueprint hash will lead to the DoS for the following reasons:
It uses encodedPacked for operatorPasteInstrs which has the typebytes32[].
According to the docs the operatorPasteInstrs is:
a set of instructions that define how operator-defined data is injected into the AdvancedFarmCalls of the data;
Now imagine the case where the user creates blueprints with different strategies that execute the same operations but in a different order.
So Blueprint A has:
operatorPasteInstrs = ["a", "bc"]
And Blueprint B has:
operatorPasteInstrs = ["ab", "c"]
Those values when hashed with keccak256(abi.encodePacked(blueprint.operatorPasteInstrs)) will return the same value
On the PR discussion, devs have the assumption that those values are already encoded because they are already "encoded". https://github.com/BeanstalkFarms/Beanstalk/pull/727#discussion_r1577293450
As operatorPasteInstrs can contain operations with the same value but in a different order, this will lead to the generation of the same hash. Once the maxNonce is reached all blueprints for that publisher that share the same hash will become unusable.
Impact
DoS due to reverting when the
maxNonceof different Blueprints with the same hash is reached.
Tools Used
Manual Review & Refs:
Recommendations
-
Replace
abi.encodePackedwithabi.encode -
Consider adding a salt value to the blueprint hash to ensure all hashes are unique. I.e: current
block.timestamp.
Lead Judging Commences
Known - LightChaser
Prize pool breakdown
Live
The contest is live. Earn rewards by submitting a finding.
Appeals
This is your time to appeal against judgements on your submissions.
Appeals Review
Appeals are being carefully reviewed by our judges.