📄

Report #31133

Report Date
May 12, 2024
Status
Closed
Payout

Diamond pointing to outdated(at risk) MigrationFacet address

Report Info

Report ID

#31133

Report type

Smart Contract

Has PoC?

Yes

Target

https://etherscan.io/address/0xC1E088fC1323b20BCBee9bd1B9fC9546db5624C5

Impacts

  • Contract fails to deliver promised returns, but doesn't lose value

Description

Current MigrationFacet.sol is set to address https://etherscan.io/address/0xbE73a5C684B1b53d7C7758B9a614Bcfdb24f822d but the implementation of the address Diamond Contract is pointing to an outdated MigrationFacet.sol set to address https://etherscan.io/address/0x9f2444e6cfaab6ea16fc05b989f1017508f84a41 , this can lead to facet/function collissions between old facets/functions and updated functions in new facet.

Vulnerability Details

As a response to a bug report submitted to Immunefi, Beanstalk (BIC) authorized important changes to various facets. To remove vesting period.

This was the Bug report: https://community.bean.money/bug-reports/bic-notes/report-27979 the changes authorized to prevent the bug are outlined in the https://hackmd.io/@beanstalk-farms-operations/HJZ0WC39p?utm_source=preview-mode&utm_medium=rec#links which entails various changes to contracts included MigrationFacet.sol addresses:

Migration Facet
The following MigrationFacet is removed from Beanstalk:
0x9F2444e6cFAAB6ea16Fc05B989f1017508F84A41

The following MigrationFacet is added to Beanstalk:
0xbE73a5C684B1b53d7C7758B9a614Bcfdb24f822d

Unfortunately, the Diamond Contract is still pointing to an old MigrationFacet.sol set to address:0x9F2444e6cFAAB6ea16Fc05B989f1017508F84A41 and not the updated MigrationFacet.sol set to new address 0xbE73a5C684B1b53d7C7758B9a614Bcfdb24f822d.

Impact Details

  1. I submit this as a medium, because critical bug reports, whose fixes are not implemented correctly may cause bugs to persist.
  2. Diamond contract design pattern is complex and therefore its important to ensure Diamond contract is pointing to correct facet address

References

Diamond Contract proxy still pointing to old MigrationFacet address: https://etherscan.io/address/0xC1E088fC1323b20BCBee9bd1B9fC9546db5624C5#writeProxyContract

Updated Facet address picked up by Louper: https://louper.dev/diamond/0xc1e088fc1323b20bcbee9bd1b9fc9546db5624c5?network=mainnet#facets

Proof of concept

The set old Migrationfacet address can be viewed here in etherscan under read/write as proxy. Set as Diamond implementation address creation implementation address collision.

https://etherscan.io/address/0xC1E088fC1323b20BCBee9bd1B9fC9546db5624C5#writeProxyContract .

Here is a likely risk scenario:

  1. Bug is fixed in Facet A
  2. Bug is still in Facet B
  3. Changes are made to get Diamond to point to Facet A
  4. Diamond is still pointing to Facet B with bugs in its
  5. Reported Risk in Protocol persist.

BIC Response

In our experience Etherscan is unreliable for viewing and interacting with diamond contracts and to your point, Louper is a better resource. If you find additional information that indicates Beanstalk is somehow using that old facet and it's not just an Etherscan issue, we would appreciate it if you shared that with us.