Beanstalk Notion
Beanstalk Notion
/
🪲
Bug Reports
/
BIC Notes
/
📄
Report #33411
📄

Report #33411

Report Date
July 19, 2024
Status
Closed
Payout

ABI encodePacked Collision

‣
Report Info

Report ID

#33411

Report type

Smart Contract

Has PoC?

Yes

Target

https://etherscan.io/address/0x39cdAf9Dc6057Fd7Ae81Aaed64D7A062aAf452fD

Impacts

Collisions can lead to unauthorized actions.

Description

This compact encoding can lead to collisions where different sets of input data produce the same encoded byte sequence. This can cause issues in situations where unique identifiers or hashes are expected, leading to unexpected behavior.

Vulnerability Details

Internalizer.uri(uint256) (contracts/fertilizer/Internalizer.sol#41-43) calls abi.encodePacked() with multiple dynamic arguments: - string(abi.encodePacked(_uri,StringsUpgradeable.toString(_id))) (contracts/fertilizer/Internalizer.sol#42)

Impact Details

Description: Detect collision due to dynamic type usages in abi.encodePacked

Exploit Scenario:

contract Sign { function get_hash_for_signature(string name, string doc) external returns(bytes32) { return keccak256(abi.encodePacked(name, doc)); } } Bob calls get_hash_for_signature with (bob, This is the content). The hash returned is used as an ID. Eve creates a collision with the ID using (bo, bThis is the content) and compromises the system.

Recommendation: Do not use more than one dynamic type in abi.encodePacked() (see the Solidity documentation). Use abi.encode(), preferably.

References

https://docs.soliditylang.org/en/v0.5.10/abi-spec.html?highlight=abi.encodePacked#non-standard-packed-modeDynamic

Immunefi Response

Immunefi has reviewed this vulnerability report and decided to close since being out of scope for Beanstalk bug bounty program.
  • claimed impact by the whitehat is not in scope for the bug bounty program
  • claimed asset by the whitehat is in scope for the bug bounty program
  • PoC has not been submitted to the project
  • claimed severity is in scope for the bug bounty program

The project will now be automatically subscribed and receive a report of the closed submission and can evaluate if they are interested in re-opening it. However, note that they are not under any obligation to do so.