Unauthorized actions, crashes, or other unintended behaviors
Description
Detect if return in an assembly block halts unexpectedly the execution.
TransparentUpgradeableProxy.admin() (@openzeppelin/contracts/proxy/transparent/TransparentUpgradeableProxy.sol#58-60) calls TransparentUpgradeableProxy.ifAdmin() (@openzeppelin/contracts/proxy/transparent/TransparentUpgradeableProxy.sol#41-47) which halt the execution return(uint256,uint256)(0,returndatasize()()) (@openzeppelin/contracts/proxy/Proxy.sol#39)
TransparentUpgradeableProxy.implementation() (@openzeppelin/contracts/proxy/transparent/TransparentUpgradeableProxy.sol#71-73) calls TransparentUpgradeableProxy.ifAdmin() (@openzeppelin/contracts/proxy/transparent/TransparentUpgradeableProxy.sol#41-47) which halt the execution return(uint256,uint256)(0,returndatasize()()) (@openzeppelin/contracts/proxy/Proxy.sol#39)
TransparentUpgradeableProxy.changeAdmin(address) (@openzeppelin/contracts/proxy/transparent/TransparentUpgradeableProxy.sol#82-84) calls TransparentUpgradeableProxy.ifAdmin() (@openzeppelin/contracts/proxy/transparent/TransparentUpgradeableProxy.sol#41-47) which halt the execution return(uint256,uint256)(0,returndatasize()()) (@openzeppelin/contracts/proxy/Proxy.sol#39)
TransparentUpgradeableProxy.upgradeTo(address) (@openzeppelin/contracts/proxy/transparent/TransparentUpgradeableProxy.sol#91-93) calls TransparentUpgradeableProxy.ifAdmin() (@openzeppelin/contracts/proxy/transparent/TransparentUpgradeableProxy.sol#41-47) which halt the execution return(uint256,uint256)(0,returndatasize()()) (@openzeppelin/contracts/proxy/Proxy.sol#39)
TransparentUpgradeableProxy.upgradeToAndCall(address,bytes) (@openzeppelin/contracts/proxy/transparent/TransparentUpgradeableProxy.sol#102-104) calls TransparentUpgradeableProxy.ifAdmin() (@openzeppelin/contracts/proxy/transparent/TransparentUpgradeableProxy.sol#41-47) which halt the execution return(uint256,uint256)(0,returndatasize()()) (@openzeppelin/contracts/proxy/Proxy.sol#39)
TransparentUpgradeableProxy.ifAdmin() (@openzeppelin/contracts/proxy/transparent/TransparentUpgradeableProxy.sol#41-47) calls Proxy._fallback() (@openzeppelin/contracts/proxy/Proxy.sol#54-57) which halt the execution return(uint256,uint256)(0,returndatasize()()) (@openzeppelin/contracts/proxy/Proxy.sol#39)
Impact Details
potential to cause unauthorized actions, system instability, or full system compromise.
Proof of concept
Description: Detect if return in an assembly block halts unexpectedly the execution.
Exploit Scenario: contract C { function f() internal returns (uint a, uint b) { assembly { return (5, 6) } }
function g() returns (bool){
f();
return true;
}
}
The return statement in f will cause execution in g to halt. The function will return 6 bytes starting from offset 5, instead of returning a boolean.
Recommendation: Use the leave statement.
Immunefi Response
Immunefi has reviewed this vulnerability report and decided to close since being out of scope for Beanstalk bug bounty program.
claimed impact by the whitehat is not in scope for the bug bounty program
claimed asset by the whitehat is in scope for the bug bounty program
PoC has been submitted to the project
claimed severity is in scope for the bug bounty program
The project will now be automatically subscribed and receive a report of the closed submission and can evaluate if they are interested in re-opening it. However, note that they are not under any obligation to do so.