ūüďĄ

Report #31113

Report Date
May 12, 2024
Status
Closed
Payout

DoS Vulnerability in Depot's `farm` function through Malicious `delegatecall` Input

‚Ä£
Report Info

Report ID

#31113

Report type

Smart Contract

Has PoC?

Yes

Target

https://etherscan.io/address/0xDEb0f00071497a5cc9b4A6B96068277e57A82Ae2

Impacts

  • Griefing (e.g. no profit motive for an attacker, but damage to the users or the protocol)

Description

The farm function in the Depot contract allows unfiltered delegatecall execution, which can lead to Denial of Service (DoS) vulnerability. If exploited in production/mainnet, it can disable the smart contract's functionality, halt token transfers, and impact contract interactions, potentially resulting in money or asset loss.

Vulnerability Details

The vulnerability lies in the farm function of the Depot contract that accepts an array of bytes (named data) containing encoded function calls, and executes each function call within the contract using delegatecall. There are no restrictions or validations on the incoming data, which allows any vested party to execute arbitrary code, including potential DoS attacks by crafting deep recursive function calls or gas-heavy operations.

function farm(bytes[] calldata data)
    external
    payable
    returns (bytes[] memory results)
{
    ...
    (bool success, bytes memory result) = address(this).delegatecall(data[i]);
    ...
}

Impact Details

If successfully exploited, an attacker can perform a DoS attack by passing a malicious data array to the farm function to cause code execution that consumes excessive gas, leading to a stack overflow or out-of-gas error. This would effectively render the smart contract unusable, impacting other interactions and potentially losing funds stored within the contract.

References

Proof of concept

The Proof of Concept (PoC) in our context can be reproduced by calling the farm function with a data array containing encoded function calls crafted to create an excessive gas consumption or deep recursion:

uint256 iterations = 100000; // or any other large value
bytes[] memory data = new bytes[](iterations);
for (uint256 i; i < iterations; i++) {
    data[i] = abi.encodeWithSignature("recursiveFunction()"); // recursive function call
}
Depot.farm(data);

This PoC demonstrates the potential impact of a successful DoS attack by triggering a stack overflow or out-of-gas error, leading to the contract's inability to process other transactions. A thorough security review and implementing proper input validation mechanisms are necessary to mitigate this vulnerability effectively.

Immunefi Response

Thank you for submitting your vulnerability report to the Beanstalk bug bounty program. We appreciate your efforts and taking the time to report vulnerabilities to us. We have reviewed your submission, but unfortunately, we are closing the report for the following reasons:
  • The submission contains the¬†output of an automated scanner without demonstrating that it is a valid issue.
  • The submission lacks the required information regarding the vulnerability's impact on the reported asset.

Please note that the project will receive a report of the closed submission and may choose to re-open it, but they are not obligated to do so.