Report #30288

Report Date

April 22, 2024

Status

Closed

Payout

Permit functions in `Depot.sol`can be affected by Dos

‣

Report Info

Report ID#30288

Report type

Smart Contract

Has PoC?

Yes

Target

https://etherscan.io/address/0xDEb0f00071497a5cc9b4A6B96068277e57A82Ae2

Impacts

Griefing (e.g. no profit motive for an attacker, but damage to the users or the protocol)

Description

Depot.sol supports permit function which can be affected by Dos making them unusable

Vulnerability Details

Depot.sol allows ERC20 permit for following functions in contract:

permitToken()
permitDeposit()
permitDeposits()

These functions allows users to permit tokens and deposits via ERC20 permit functionality.

For example, permitToken() uses beanstalk.permitToken() to permit the tokens to spender on his behalf.

    function permitToken(
        address owner,
        address spender,
        address token,
        uint256 value,
        uint256 deadline,
        uint8 v,
        bytes32 r,
        bytes32 s
    ) external payable {
        beanstalk.permitToken(owner, spender, token, value, deadline, v, r, s);
    }

This supports ERC20 permit functionality by which users could spend the tokens by signing an approval off-chain.

The issue is that while the transactions for permitToken(), permitDeposit() and permitDeposits() is in mempool, anyone could extract the signature parameters from the call to front-run the transaction with direct permit call. Since, the contract is deployed on Ethereum mainnet so this issue is possible due to presence of mempool.

This issue is originally submitted by Trust security aka Trust to various on chain protocols and the issue is confirmed by reputed protocols.

To understand the issue in detail, Please refer below link:

link: https://www.trust-security.xyz/post/permission-denied

An attacker can extract the signature by observing the mempool, front-run the victim with a direct permit, and revert the function call for the user. "In the case that there is no fallback code path the DOS is long-term (there are bypasses through flashbots in some chains, but that's a really bad scenario to resort to)." as stated by Trust Security.

This issue would indeed increase the approval for the user if the front-run got successful. But as the permit is already been used, the call to permitToken(), permitDeposit() and permitDeposits()will revert making whole transaction revert. Thus making the victim not able to make successful call to permitToken(), permitDeposit() and permitDeposits() by using permit() function.

Impact Details

Users will not be able to use the permit functions for important functions like permitToken(), permitDeposit() and permitDeposits() so this function would be practically unusable and users functionality would be affected due to griefing attack by attacker.

References

https://etherscan.io/address/0xDEb0f00071497a5cc9b4A6B96068277e57A82Ae2?utm_source=immunefi

https://www.trust-security.xyz/post/permission-denied

Recommendation to fix

Wrap the ERC20 permit function calls in try catch block in functions.

References

https://www.trust-security.xyz/post/permission-denied

Proof of concept

Consider a normal scenario,

Bob wants to permit the tokens or deposit token via permit so he calls either permitToken() or permitDeposit(). To be noted, the contract is deployed on Ethereum so there is presence of mempool.
Alice observes the transactions in mempool and extract the signature parameters from the call to front-run the transaction with direct permit call.
Alice transaction got successful due to high gas fee paid by her to minor by front running the Bob's transaction.
This action by Alice would indeed increase the approval for the Bob since the front-run got successful.
But as the permit is already been used by Alice so the call to permitToken() or permitDeposit() will revert making whole transaction revert.
Now, Bob will not able to make successful call to permitToken() or permitDeposit() by using permit() function. This is due to griefing attack by Alice. She keep repeating such attack as the intent in griefing.

Immunefi Response

Thank you for submitting your vulnerability report to the Beanstalk bug bounty program. After reviewing your report, we have decided to close it due to the absence of a PoC.
Our review found that:
assessed impact by the triage team is in scope for the bug bounty program
assessed asset by the triage team is in scope for the bug bounty program
No working PoC was submitted with the report
As per the program policy, A PoC, demonstrating the bug's impact, is required for this program and has to comply with the Immunefi PoC Guidelines and Rules.
We take the triaging of submissions seriously at Immunefi, and our process involves checking the PoC to see if it matches the assessed impact and bug description, as well as verifying the accuracy of the whitehat's claims.
Please note that the Project's team will receive a report of the closed submission and may choose to re-open it at their discretion. However, they are under no obligation to do so.

Permit functions in `Depot.sol`can be affected by Dos

‣

Report Info

Report ID#30288

Report type

Smart Contract

Has PoC?

Yes

Target

https://etherscan.io/address/0xDEb0f00071497a5cc9b4A6B96068277e57A82Ae2

Impacts

Griefing (e.g. no profit motive for an attacker, but damage to the users or the protocol)

Description

Depot.sol supports permit function which can be affected by Dos making them unusable

Vulnerability Details

Depot.sol allows ERC20 permit for following functions in contract:

permitToken()
permitDeposit()
permitDeposits()

These functions allows users to permit tokens and deposits via ERC20 permit functionality.

For example, permitToken() uses beanstalk.permitToken() to permit the tokens to spender on his behalf.

    function permitToken(
        address owner,
        address spender,
        address token,
        uint256 value,
        uint256 deadline,
        uint8 v,
        bytes32 r,
        bytes32 s
    ) external payable {
        beanstalk.permitToken(owner, spender, token, value, deadline, v, r, s);
    }

This supports ERC20 permit functionality by which users could spend the tokens by signing an approval off-chain.

This issue is originally submitted by Trust security aka Trust to various on chain protocols and the issue is confirmed by reputed protocols.

To understand the issue in detail, Please refer below link:

link: https://www.trust-security.xyz/post/permission-denied

An attacker can extract the signature by observing the mempool, front-run the victim with a direct permit, and revert the function call for the user. "In the case that there is no fallback code path the DOS is long-term (there are bypasses through flashbots in some chains, but that's a really bad scenario to resort to)." as stated by Trust Security.

Impact Details

References

https://etherscan.io/address/0xDEb0f00071497a5cc9b4A6B96068277e57A82Ae2?utm_source=immunefi

https://www.trust-security.xyz/post/permission-denied

Recommendation to fix

Wrap the ERC20 permit function calls in try catch block in functions.

References

https://www.trust-security.xyz/post/permission-denied

Proof of concept

Consider a normal scenario,

Bob wants to permit the tokens or deposit token via permit so he calls either permitToken() or permitDeposit(). To be noted, the contract is deployed on Ethereum so there is presence of mempool.
Alice observes the transactions in mempool and extract the signature parameters from the call to front-run the transaction with direct permit call.
Alice transaction got successful due to high gas fee paid by her to minor by front running the Bob's transaction.
This action by Alice would indeed increase the approval for the Bob since the front-run got successful.
But as the permit is already been used by Alice so the call to permitToken() or permitDeposit() will revert making whole transaction revert.
Now, Bob will not able to make successful call to permitToken() or permitDeposit() by using permit() function. This is due to griefing attack by Alice. She keep repeating such attack as the intent in griefing.

Immunefi Response

Thank you for submitting your vulnerability report to the Beanstalk bug bounty program. After reviewing your report, we have decided to close it due to the absence of a PoC.

Our review found that:

assessed impact by the triage team is in scope for the bug bounty program
assessed asset by the triage team is in scope for the bug bounty program
No working PoC was submitted with the report
As per the program policy, A PoC, demonstrating the bug's impact, is required for this program and has to comply with the Immunefi PoC Guidelines and Rules.

We take the triaging of submissions seriously at Immunefi, and our process involves checking the PoC to see if it matches the assessed impact and bug description, as well as verifying the accuracy of the whitehat's claims.

Please note that the Project's team will receive a report of the closed submission and may choose to re-open it at their discretion. However, they are under no obligation to do so.