13:["$","$L31",null,{"pageReplacement":"$undefined","getWebVital":true,"pageId":"bug-reports-bic-notes-report-38420","records":{"block":{"bug-reports-bic-notes-report-38420":{"id":"bug-reports-bic-notes-report-38420","children":["1d96d11db45480c19da6f6b3e94be28c","1d96d11db45480628d3ce51dbb046ae1","1d96d11db454800a9aa2e6411d313632","1d96d11db45480ecb4e8c2dd973fdd0e"],"hasContent":true,"parentId":"81d407a13ac34b24afbd8ae2f633beb8","title":[["Report #38420"]],"updatedAt":1745005741429,"type":"page","spaceId":"ab0b716f-1149-44f9-a5f8-3c1faef24f49","icon":"📄","createdTime":1744999742008,"lastEditedTime":1745005741429,"createdBy":[{"0":"‣","1":[{"0":"u"}]}],"lastEditedBy":[{"0":"‣","1":[{"0":"u"}]}],"layout":null,"propertySort":[{"property":"{a|D","visibility":"show","type":"date","name":"Report Date"},{"property":"GnWs","visibility":"show","type":"select","name":"Status"},{"property":"Fh<[","visibility":"show","type":"number","name":"Payout"}],"uri":"/bug-reports/bic-notes/report-38420","fullWidth":false,"smallText":false,"noCover":true,"superProperties":{},"propertyValues":{"{a|D":[["‣",[["d",{"type":"date","start_date":"2025-01-02"}]]]],"GnWs":[{"color":"gray","value":"Closed"}]},"blockId":"1d96d11d-b454-80bb-afe1-c053ff762e3e"},"bug-reports":{"id":"bug-reports","children":[],"hasContent":true,"parentId":"a5a7bf6b51ec4b68b32f2007f41274ef","title":[["Bug Reports"]],"updatedAt":1730166674632,"type":"page","spaceId":"ab0b716f-1149-44f9-a5f8-3c1faef24f49","icon":"🪲","coverPosition":0.2693,"createdTime":1666242480000,"lastEditedTime":1730166674632,"createdBy":[{"0":"‣","1":[{"0":"u"}]}],"lastEditedBy":[{"0":"‣","1":[{"0":"u"}]}],"description":null,"cover":"https://images.spr.so/cdn-cgi/imagedelivery/j42No7y-dcokJuNgXeA0ig/a2bce83a-eb08-4b8a-84dd-4de45ceb9115/dalle/public","uri":"/bug-reports","blockId":"f653305e-4ed7-4734-bb5d-fe173aa8d98f"},"d2246af0639c440b9153316b52856b7d":{"id":"d2246af0639c440b9153316b52856b7d","children":[],"hasContent":true,"parentId":"7152ae7a68b846a18b9ad3f2b742cf39","title":[["Beanstalk Notion"]],"updatedAt":1726681064870,"type":"page","spaceId":"ab0b716f-1149-44f9-a5f8-3c1faef24f49","icon":"https://images.spr.so/cdn-cgi/imagedelivery/j42No7y-dcokJuNgXeA0ig/8eb7da25-afae-45ec-95dc-67fbfc3937de/bean-200x200/public","coverPosition":0.1349,"createdTime":1665459157361,"lastEditedTime":1726681064870,"createdBy":[{"0":"‣","1":[{"0":"u"}]}],"lastEditedBy":[{"0":"‣","1":[{"0":"u"}]}],"description":null,"cover":"https://images.spr.so/cdn-cgi/imagedelivery/j42No7y-dcokJuNgXeA0ig/55f768dc-bb88-491b-8aaf-55c802563c47/bg-mainnet/public","uri":"/d2246af0639c440b9153316b52856b7d","blockId":"d2246af0-639c-440b-9153-316b52856b7d"},"bug-reports-bic-notes":{"id":"bug-reports-bic-notes","children":[],"hasContent":false,"parentId":"bug-reports","title":[["BIC Notes"]],"updatedAt":1745001819636,"type":"collection_page","spaceId":"ab0b716f-1149-44f9-a5f8-3c1faef24f49","uri":"/bug-reports/bic-notes","collectionId":"81d407a1-3ac3-4b24-afbd-8ae2f633beb8","views":[],"cover":null,"description":[],"coverPosition":1},"links":{"id":"links","children":[],"hasContent":false,"parentId":"d2246af0639c440b9153316b52856b7d","title":[["Links"]],"updatedAt":1674433368143,"type":"collection_page","spaceId":"ab0b716f-1149-44f9-a5f8-3c1faef24f49","uri":"/links","collectionId":"a5a7bf6b-51ec-4b68-b32f-2007f41274ef","views":[],"icon":"🔗","cover":null,"description":[["Pages in the Beanstalk Community Resource Center."]],"coverPosition":1},"1d96d11db45480c19da6f6b3e94be28c":{"id":"1d96d11db45480c19da6f6b3e94be28c","children":[],"hasContent":false,"parentId":"bug-reports-bic-notes-report-38420","title":[["Short-Calldata Zero-Padding Vulnerability in Diamond Proxy Allows Unexpected Fallback Execution",[["b",null]]]],"updatedAt":1745005684997,"type":"heading","subType":"sub_header","depth":2},"1d96d11db45480628d3ce51dbb046ae1":{"id":"1d96d11db45480628d3ce51dbb046ae1","children":["1d96d11db454801182abf487d16b8280","1d96d11db4548049a5b0cbf0bcd83558","1d96d11db45480f79bcaecd6b3b5dffb","1d96d11db4548057ba98efd0b37e9f93","1d96d11db45480119fa8fe95138840b6","1d96d11db4548050a246cc1850243637","1d96d11db45480a790b2c5d38707f285","1d96d11db4548066af0cf07e4f9de694","1d96d11db45480fba434da21dae27daf","1d96d11db4548089b093cb683055d2df","1d96d11db4548016827ad3110f54a937","1d96d11db454807ba4c3c5805ccd6238","1d96d11db454806c94a7f85f16849a94","1d96d11db454807ab44ccdbb85e12686","1d96d11db45480e2a772e5774c065769","1d96d11db454804bb3eae54a10c27858","1d96d11db45480248388eafadb8adf27","1d96d11db45480b88b9cefddc3cdb72b","1d96d11db45480eb8c57c505459218cc","1d96d11db454803489cdd6ee032952ba","1d96d11db45480abbd5bc9bcbfb7b8c7","1d96d11db45480d7bff2c5f90a7931f5","1d96d11db4548088b392ee2f9190fa29","1d96d11db454807198e0df743af9b105","1d96d11db454802c9191fe55611ba60c","1d96d11db45480449569fcb301cdb6f7","1d96d11db4548033a845fda9af2c788d","1d96d11db45480878f79d2714dc050c4","1d96d11db45480a29a80c4098cb1a4c6","1d96d11db4548081aafcc03d2708573e","1d96d11db454803a9c6aee3fb6520fa4","1d96d11db454809590ecf44539abf3c7"],"hasContent":true,"parentId":"bug-reports-bic-notes-report-38420","title":[["Report Info",[["b",null]]]],"updatedAt":1745005738634,"type":"toggle","subType":null,"depth":null,"color":null},"1d96d11db454801182abf487d16b8280":{"id":"1d96d11db454801182abf487d16b8280","children":[],"hasContent":false,"parentId":"1d96d11db45480628d3ce51dbb046ae1","title":[["Report ID",[["b",null]]]],"updatedAt":1745005711853,"type":"text"},"1d96d11db4548049a5b0cbf0bcd83558":{"id":"1d96d11db4548049a5b0cbf0bcd83558","children":[],"hasContent":false,"parentId":"1d96d11db45480628d3ce51dbb046ae1","title":[["#38420"]],"updatedAt":1745005709755,"type":"text"},"1d96d11db45480f79bcaecd6b3b5dffb":{"id":"1d96d11db45480f79bcaecd6b3b5dffb","children":[],"hasContent":false,"parentId":"1d96d11db45480628d3ce51dbb046ae1","title":[["Report type",[["b",null]]],[" "]],"updatedAt":1745005713904,"type":"text"},"1d96d11db4548057ba98efd0b37e9f93":{"id":"1d96d11db4548057ba98efd0b37e9f93","children":[],"hasContent":false,"parentId":"1d96d11db45480628d3ce51dbb046ae1","title":[["Smart Contract"]],"updatedAt":1745005712979,"type":"text"},"1d96d11db45480119fa8fe95138840b6":{"id":"1d96d11db45480119fa8fe95138840b6","children":[],"hasContent":false,"parentId":"1d96d11db45480628d3ce51dbb046ae1","title":[["Has PoC?",[["b",null]]],[" "]],"updatedAt":1745005717133,"type":"text"},"1d96d11db4548050a246cc1850243637":{"id":"1d96d11db4548050a246cc1850243637","children":[],"hasContent":false,"parentId":"1d96d11db45480628d3ce51dbb046ae1","title":[["Yes"]],"updatedAt":1745005717133,"type":"text"},"1d96d11db45480a790b2c5d38707f285":{"id":"1d96d11db45480a790b2c5d38707f285","children":[],"hasContent":false,"parentId":"1d96d11db45480628d3ce51dbb046ae1","title":[["Target",[["b",null]]]],"updatedAt":1745005720486,"type":"text"},"1d96d11db4548066af0cf07e4f9de694":{"id":"1d96d11db4548066af0cf07e4f9de694","children":[],"hasContent":false,"parentId":"1d96d11db45480628d3ce51dbb046ae1","title":[["https://etherscan.io/address/0xC1E088fC1323b20BCBee9bd1B9fC9546db5624C5",[["a","https://etherscan.io/address/0xC1E088fC1323b20BCBee9bd1B9fC9546db5624C5"]]]],"updatedAt":1745005724742,"type":"text"},"1d96d11db45480fba434da21dae27daf":{"id":"1d96d11db45480fba434da21dae27daf","children":[],"hasContent":false,"parentId":"1d96d11db45480628d3ce51dbb046ae1","title":[["Impacts",[["b",null]]]],"updatedAt":1745005727353,"type":"text"},"1d96d11db4548089b093cb683055d2df":{"id":"1d96d11db4548089b093cb683055d2df","children":[],"hasContent":false,"parentId":"1d96d11db45480628d3ce51dbb046ae1","title":[["Griefing (e.g. no profit motive for an attacker, but damage to the users or the protocol)"]],"updatedAt":1745005726818,"type":"text"},"1d96d11db4548016827ad3110f54a937":{"id":"1d96d11db4548016827ad3110f54a937","children":[],"hasContent":false,"parentId":"1d96d11db45480628d3ce51dbb046ae1","title":[["Description"]],"updatedAt":1745005704140,"type":"heading","subType":"sub_sub_header","depth":3},"1d96d11db454807ba4c3c5805ccd6238":{"id":"1d96d11db454807ba4c3c5805ccd6238","children":[],"hasContent":false,"parentId":"1d96d11db45480628d3ce51dbb046ae1","title":[["A subtle edge case exists in Beanstalk's Diamond proxy (an EIP-2535 implementation) where any msg.data.length < 4 call leads to zero-padding of msg.sig. For example, calldata of just 0xff becomes 0xff000000. If a facet with that partial selector (0xff000000) is added (e.g., via governance), and its fallback function contains harmful logic, it could be unintentionally or maliciously triggered—potentially resulting in unexpected state changes."]],"updatedAt":1745005704140,"type":"text"},"1d96d11db454806c94a7f85f16849a94":{"id":"1d96d11db454806c94a7f85f16849a94","children":[],"hasContent":false,"parentId":"1d96d11db45480628d3ce51dbb046ae1","title":[["Vulnerability Details",[["b",null]]]],"updatedAt":1745005704140,"type":"text"},"1d96d11db454807ab44ccdbb85e12686":{"id":"1d96d11db454807ab44ccdbb85e12686","children":[],"hasContent":false,"parentId":"1d96d11db45480628d3ce51dbb046ae1","title":[["Within the Diamond proxy's fallback, we observe:"]],"updatedAt":1745005704140,"type":"text"},"1d96d11db45480e2a772e5774c065769":{"id":"1d96d11db45480e2a772e5774c065769","children":[],"hasContent":false,"parentId":"1d96d11db45480628d3ce51dbb046ae1","title":[["fallback() external payable {\n LibDiamond.DiamondStorage storage ds;\n bytes32 position = LibDiamond.DIAMOND_STORAGE_POSITION;\n assembly {\n ds.slot := position\n }\n\n address facet = ds.selectorToFacetAndPosition[msg.sig].facetAddress;\n require(facet != address(0), \"Diamond: Function does not exist\");\n assembly {\n calldatacopy(0, 0, calldatasize())\n let result := delegatecall(gas(), facet, 0, calldatasize(), 0, 0)\n returndatacopy(0, 0, returndatasize())\n switch result\n case 0 {\n revert(0, returndatasize())\n }\n default {\n return(0, returndatasize())\n }\n }\n}"]],"updatedAt":1745005733102,"type":"code","language":"Solidity","wrap":true,"link":null},"1d96d11db454804bb3eae54a10c27858":{"id":"1d96d11db454804bb3eae54a10c27858","children":[],"hasContent":false,"parentId":"1d96d11db45480628d3ce51dbb046ae1","title":[["The issue arises from Solidity's handling of msg.sig (a bytes4) when msg.data.length < 4. Zero-padding can map less-than-four-bytes calldata—like 0xff—to a 4-byte selector 0xff000000. If a facet with that exact selector has a fallback function, the Diamond proxy will delegate-call to it:"]],"updatedAt":1745005704140,"type":"text"},"1d96d11db45480248388eafadb8adf27":{"id":"1d96d11db45480248388eafadb8adf27","children":[],"hasContent":false,"parentId":"1d96d11db45480628d3ce51dbb046ae1","title":[["contract TestFacet {\n // The function selector is 0xff000000\n function BlazingIt6886408584() public payable {}\n\n fallback() external {\n // Potentially malicious or unexpected logic\n }\n}\n\n...\n\n// Sending only one byte (\"0xff\") triggers the delegatecall to TestFacet\n// and fallback would be executed\naddress(beanstalk).call(hex\"ff\");"]],"updatedAt":1745005735374,"type":"code","language":"Solidity","wrap":true,"link":null},"1d96d11db45480b88b9cefddc3cdb72b":{"id":"1d96d11db45480b88b9cefddc3cdb72b","children":[],"hasContent":false,"parentId":"1d96d11db45480628d3ce51dbb046ae1","title":[["Potential for \"Selector Mining\"",[["b",null]]]],"updatedAt":1745005704140,"type":"text"},"1d96d11db45480eb8c57c505459218cc":{"id":"1d96d11db45480eb8c57c505459218cc","children":[],"hasContent":false,"parentId":"1d96d11db45480628d3ce51dbb046ae1","title":[["Attackers can also perform selector mining to generate specific 4-byte function selectors that end (or begin) with particular bytes. By brute-forcing various function signatures (e.g., tweaking the name or parameters), they may deliberately produce a function that looks legitimate but with a selector like 0xff000000 (or another that partially matches short calldata). Once introduced via governance or other means, this seemingly innocuous facet function could allow fallback-based exploits to remain hidden in plain sight."]],"updatedAt":1745005704140,"type":"text"},"1d96d11db454803489cdd6ee032952ba":{"id":"1d96d11db454803489cdd6ee032952ba","children":[],"hasContent":false,"parentId":"1d96d11db45480628d3ce51dbb046ae1","title":[["Why Might Calldata < 4 Occur?",[["b",null]]]],"updatedAt":1745005704140,"type":"text"},"1d96d11db45480abbd5bc9bcbfb7b8c7":{"id":"1d96d11db45480abbd5bc9bcbfb7b8c7","children":[],"hasContent":false,"parentId":"1d96d11db45480628d3ce51dbb046ae1","title":[["While it's true that calls with fewer than 4 bytes are not typical, in my opinion they are still possible in several scenarios:"]],"updatedAt":1745005704140,"type":"text"},"1d96d11db45480d7bff2c5f90a7931f5":{"id":"1d96d11db45480d7bff2c5f90a7931f5","children":[],"hasContent":false,"parentId":"1d96d11db45480628d3ce51dbb046ae1","title":[["Phishing or Social Engineering: A malicious interface could trick users into sending a transaction. The user might think it's a harmless or empty call, when in fact it activates an unexpected fallback."]],"updatedAt":1745005704140,"type":"numbered_list"},"1d96d11db4548088b392ee2f9190fa29":{"id":"1d96d11db4548088b392ee2f9190fa29","children":[],"hasContent":false,"parentId":"1d96d11db45480628d3ce51dbb046ae1","title":[["Malicious Contract-to-Contract Calls: Attackers could craft a contract that deliberately sends very short calldata to exploit the zero-padded selector, making it difficult for users of the contract to detect the issue."]],"updatedAt":1745005704140,"type":"numbered_list"},"1d96d11db454807198e0df743af9b105":{"id":"1d96d11db454807198e0df743af9b105","children":[],"hasContent":false,"parentId":"1d96d11db45480628d3ce51dbb046ae1","title":[["Accidental or Testing Mistakes: Under certain circumstances, both humans and programs can make mistakes, which may lead to unintended outcomes due to the unexpected execution path."]],"updatedAt":1745005704140,"type":"numbered_list"},"1d96d11db454802c9191fe55611ba60c":{"id":"1d96d11db454802c9191fe55611ba60c","children":[],"hasContent":false,"parentId":"1d96d11db45480628d3ce51dbb046ae1","title":[["In isolation, this might appear edge-case, but if a malicious facet is successfully introduced—especially via governance—this quirk becomes a potential vector for unauthorized actions."]],"updatedAt":1745005704140,"type":"text"},"1d96d11db45480449569fcb301cdb6f7":{"id":"1d96d11db45480449569fcb301cdb6f7","children":[],"hasContent":false,"parentId":"1d96d11db45480628d3ce51dbb046ae1","title":[["Impact Details",[["b",null]]]],"updatedAt":1745005704140,"type":"text"},"1d96d11db4548033a845fda9af2c788d":{"id":"1d96d11db4548033a845fda9af2c788d","children":[],"hasContent":false,"parentId":"1d96d11db45480628d3ce51dbb046ae1","title":[["Unexpected Execution Path: By exploiting zero-padding, a single-byte (or otherwise short) calldata can invoke a fallback that was never meant to be called."]],"updatedAt":1745005704140,"type":"numbered_list"},"1d96d11db45480878f79d2714dc050c4":{"id":"1d96d11db45480878f79d2714dc050c4","children":[],"hasContent":false,"parentId":"1d96d11db45480628d3ce51dbb046ae1","title":[["Potentially Harmful Operations: If the fallback function executes transfers, mints, or any privileged logic, it could pose a real threat to protocol security and user funds."]],"updatedAt":1745005704140,"type":"numbered_list"},"1d96d11db45480a29a80c4098cb1a4c6":{"id":"1d96d11db45480a29a80c4098cb1a4c6","children":[],"hasContent":false,"parentId":"1d96d11db45480628d3ce51dbb046ae1","title":[["This vulnerability doesn't immediately imply direct theft under normal circumstances. However, it still presents a risk because malicious fallback logic could be exploited for griefing, unauthorized state changes, or, depending on the facet's code, even fund misappropriation."]],"updatedAt":1745005704140,"type":"text"},"1d96d11db4548081aafcc03d2708573e":{"id":"1d96d11db4548081aafcc03d2708573e","children":[],"hasContent":false,"parentId":"1d96d11db45480628d3ce51dbb046ae1","title":[["Proof of concept"]],"updatedAt":1745005741429,"type":"heading","subType":"sub_sub_header","depth":3},"1d96d11db454803a9c6aee3fb6520fa4":{"id":"1d96d11db454803a9c6aee3fb6520fa4","children":[],"hasContent":false,"parentId":"1d96d11db45480628d3ce51dbb046ae1","title":[["$32"]],"updatedAt":1745005747629,"type":"code","language":"Solidity","wrap":true,"link":null},"1d96d11db454809590ecf44539abf3c7":{"id":"1d96d11db454809590ecf44539abf3c7","children":[],"hasContent":false,"parentId":"1d96d11db45480628d3ce51dbb046ae1","title":[],"updatedAt":1745005748842,"type":"text"},"1d96d11db454800a9aa2e6411d313632":{"id":"1d96d11db454800a9aa2e6411d313632","children":[],"hasContent":false,"parentId":"bug-reports-bic-notes-report-38420","title":[["BIC Response"]],"updatedAt":1745005769957,"type":"heading","subType":"sub_header","depth":2},"1d96d11db45480ecb4e8c2dd973fdd0e":{"id":"1d96d11db45480ecb4e8c2dd973fdd0e","children":[],"hasContent":false,"parentId":"bug-reports-bic-notes-report-38420","title":[["The situation you describe requires (1) a malicious fallback function to be introduced to the contracts and (2) an end user to unwittingly interact with said malicious function. These observations are not relevant to our bug bounty program and thus we are closing the report."]],"updatedAt":1745005771104,"type":"text"}},"team":{"7152ae7a-68b8-46a1-8b9a-d3f2b742cf39":{"role":"none"}},"form_question":{},"entity":{},"pageId":"1d96d11db45480bbafe1c053ff762e3e","pagesToCreate":[]},"settings":{"siteId":"24ee9048-bc34-4e20-87bc-190b6da4b7a3","userId":"94389423-1c7a-40c3-9765-f058817c571a","domainName":"community.bean.money","name":"Beanstalk Notion","active":true,"free":false,"tier":"personal","favicon":null,"fontFamily":"Inter","legacyTheme":"default","language":"en","notionPage":"d2246af0639c440b9153316b52856b7d","indexPageId":"24ee9048-bc34-4e20-87bc-190b6da4b7a3:::46bdfa5c-fa89-4a73-825f-88aeb87b1162","pageProperties":true,"pageSyncing":true,"viewSwitcher":true,"layoutSidePanel":true,"siteSearch":true,"advancedSearch":false,"themeToggle":false,"mondayFirst":false,"loadLimits":false,"hidePersonInfo":false,"showPropertyIcons":false,"redirectSubdomain":null,"noIndex":false,"viewsExceeded":false,"cacheTTL":180000,"manualSync":false,"syncStatus":"unsynced","publishedAt":null,"navbar":null,"footer":null,"sidebar":null,"theme":null,"code":{"head":[],"body":[],"style":[],"css":""},"files":[],"hasPassword":false,"hasFeed":false},"smallText":false,"config":"$undefined","pageLocation":"/bug-reports/bic-notes/report-38420","passwords":[],"styles":"","children":[["$","main",null,{"id":"page-bug-reports-bic-notes-report-38420","className":"super-content page__bug-reports-bic-notes-report-38420 parent-page__bug-reports-bic-notes","children":[["$","$L33",null,{"url":"https://community.bean.money/bug-reports/bic-notes/report-38420","title":"Report #38420","description":"The situation you describe requires (1) a malicious fallback function to be introduced to the contracts and (2) an end user to unwittingly interact with said malicious function. These observations are not relevant to our bug bounty program and thus we are closing the report.","root":{"id":"d2246af0639c440b9153316b52856b7d","uri":"/","title":"Beanstalk Notion","icon":"https://images.spr.so/cdn-cgi/imagedelivery/j42No7y-dcokJuNgXeA0ig/8eb7da25-afae-45ec-95dc-67fbfc3937de/bean-200x200/public"},"image":null,"canonical":null,"author":null,"favicon":null,"breadcrumbs":[{"id":"bug-reports","uri":"/bug-reports","title":"Bug Reports","icon":"🪲"},{"id":"bug-reports-bic-notes","uri":"/bug-reports/bic-notes","title":"BIC Notes","icon":null},{"id":"bug-reports-bic-notes-report-38420","uri":"/bug-reports/bic-notes/report-38420","title":"Report #38420","icon":"📄"}],"siteId":"24ee9048-bc34-4e20-87bc-190b6da4b7a3","userId":"94389423-1c7a-40c3-9765-f058817c571a","domainName":"community.bean.money","name":"Beanstalk Notion","active":true,"free":false,"tier":"personal","fontFamily":"Inter","legacyTheme":"default","language":"en","notionPage":"d2246af0639c440b9153316b52856b7d","indexPageId":"24ee9048-bc34-4e20-87bc-190b6da4b7a3:::46bdfa5c-fa89-4a73-825f-88aeb87b1162","pageProperties":true,"pageSyncing":true,"viewSwitcher":true,"layoutSidePanel":true,"siteSearch":true,"advancedSearch":false,"themeToggle":false,"mondayFirst":false,"loadLimits":false,"hidePersonInfo":false,"showPropertyIcons":false,"redirectSubdomain":null,"noIndex":false,"viewsExceeded":false,"cacheTTL":180000,"manualSync":false,"syncStatus":"unsynced","publishedAt":null,"navbar":null,"footer":null,"sidebar":null,"theme":null,"code":"$34","files":"$38","hasPassword":false,"hasFeed":false}],null,null,["$","div",null,{"className":"notion-header page","children":[["$","div",null,{"className":"notion-header__cover no-cover has-icon","children":null}],["$","div",null,{"className":"notion-header__content max-width no-cover has-icon","children":[["$","div",null,{"className":"notion-header__title-wrapper","children":[["$","div",null,{"className":"notion-header__icon-wrapper no-cover has-icon","children":["$","div",null,{"children":"📄"}]}],["$","h1",null,{"className":"notion-header__title","children":"Report #38420"}]]}],null]}]]}],["$","$L39",null,{"id":"bug-reports-bic-notes-report-38420","children":[[["$","span",null,{"className":"notion-heading__anchor","id":"1d96d11db45480c19da6f6b3e94be28c"}],["$","h2",null,{"id":"block-1d96d11db45480c19da6f6b3e94be28c","className":"notion-heading notion-semantic-string","children":["$undefined",[["$","strong","0-b",{"children":["$","$3a","0-Short-Calldata Zero-Padding Vulnerability in Diamond Proxy Allows Unexpected Fallback Execution",{"children":"Short-Calldata Zero-Padding Vulnerability in Diamond Proxy Allows Unexpected Fallback Execution"}]}]],"$undefined"]}]],["$","$L3b","1d96d11db45480628d3ce51dbb046ae1",{"id":"1d96d11db45480628d3ce51dbb046ae1","children":[["$","p",null,{"id":"block-1d96d11db454801182abf487d16b8280","className":"notion-text notion-text__content notion-semantic-string","children":["$undefined",[["$","strong","0-b",{"children":["$","$3a","0-Report ID",{"children":"Report ID"}]}]],"$undefined"]}],["$","p",null,{"id":"block-1d96d11db4548049a5b0cbf0bcd83558","className":"notion-text notion-text__content notion-semantic-string","children":["$undefined",[["$","$3a","0-#38420",{"children":"#38420"}]],"$undefined"]}],["$","p",null,{"id":"block-1d96d11db45480f79bcaecd6b3b5dffb","className":"notion-text notion-text__content notion-semantic-string","children":["$undefined",[["$","strong","0-b",{"children":["$","$3a","0-Report type",{"children":"Report type"}]}],["$","$3a","1- ",{"children":" "}]],"$undefined"]}],["$","p",null,{"id":"block-1d96d11db4548057ba98efd0b37e9f93","className":"notion-text notion-text__content notion-semantic-string","children":["$undefined",[["$","$3a","0-Smart Contract",{"children":"Smart Contract"}]],"$undefined"]}],["$","p",null,{"id":"block-1d96d11db45480119fa8fe95138840b6","className":"notion-text notion-text__content notion-semantic-string","children":["$undefined",[["$","strong","0-b",{"children":["$","$3a","0-Has PoC?",{"children":"Has PoC?"}]}],["$","$3a","1- ",{"children":" "}]],"$undefined"]}],["$","p",null,{"id":"block-1d96d11db4548050a246cc1850243637","className":"notion-text notion-text__content notion-semantic-string","children":["$undefined",[["$","$3a","0-Yes",{"children":"Yes"}]],"$undefined"]}],["$","p",null,{"id":"block-1d96d11db45480a790b2c5d38707f285","className":"notion-text notion-text__content notion-semantic-string","children":["$undefined",[["$","strong","0-b",{"children":["$","$3a","0-Target",{"children":"Target"}]}]],"$undefined"]}],["$","p",null,{"id":"block-1d96d11db4548066af0cf07e4f9de694","className":"notion-text notion-text__content notion-semantic-string","children":["$undefined",[["$","$L3c","https://etherscan.io/address/0xC1E088fC1323b20BCBee9bd1B9fC9546db5624C5",{"className":"link","uri":"https://etherscan.io/address/0xC1E088fC1323b20BCBee9bd1B9fC9546db5624C5","children":["$","$3a","0-https://etherscan.io/address/0xC1E088fC1323b20BCBee9bd1B9fC9546db5624C5",{"children":"https://etherscan.io/address/0xC1E088fC1323b20BCBee9bd1B9fC9546db5624C5"}]}]],"$undefined"]}],["$","p",null,{"id":"block-1d96d11db45480fba434da21dae27daf","className":"notion-text notion-text__content notion-semantic-string","children":["$undefined",[["$","strong","0-b",{"children":["$","$3a","0-Impacts",{"children":"Impacts"}]}]],"$undefined"]}],["$","p",null,{"id":"block-1d96d11db4548089b093cb683055d2df","className":"notion-text notion-text__content notion-semantic-string","children":["$undefined",[["$","$3a","0-Griefing (e.g. no profit motive for an attacker, but damage to the users or the protocol)",{"children":"Griefing (e.g. no profit motive for an attacker, but damage to the users or the protocol)"}]],"$undefined"]}],[["$","span",null,{"className":"notion-heading__anchor","id":"1d96d11db4548016827ad3110f54a937"}],["$","h3",null,{"id":"block-1d96d11db4548016827ad3110f54a937","className":"notion-heading notion-semantic-string","children":["$undefined",[["$","$3a","0-Description",{"children":"Description"}]],"$undefined"]}]],["$","p",null,{"id":"block-1d96d11db454807ba4c3c5805ccd6238","className":"notion-text notion-text__content notion-semantic-string","children":["$undefined",[["$","$3a","0-A subtle edge case exists in Beanstalk's Diamond proxy (an EIP-2535 implementation) where any msg.data.length < 4 call leads to zero-padding of msg.sig. For example, calldata of just 0xff becomes 0xff000000. If a facet with that partial selector (0xff000000) is added (e.g., via governance), and its fallback function contains harmful logic, it could be unintentionally or maliciously triggered—potentially resulting in unexpected state changes.",{"children":"A subtle edge case exists in Beanstalk's Diamond proxy (an EIP-2535 implementation) where any msg.data.length < 4 call leads to zero-padding of msg.sig. For example, calldata of just 0xff becomes 0xff000000. If a facet with that partial selector (0xff000000) is added (e.g., via governance), and its fallback function contains harmful logic, it could be unintentionally or maliciously triggered—potentially resulting in unexpected state changes."}]],"$undefined"]}],["$","p",null,{"id":"block-1d96d11db454806c94a7f85f16849a94","className":"notion-text notion-text__content notion-semantic-string","children":["$undefined",[["$","strong","0-b",{"children":["$","$3a","0-Vulnerability Details",{"children":"Vulnerability Details"}]}]],"$undefined"]}],["$","p",null,{"id":"block-1d96d11db454807ab44ccdbb85e12686","className":"notion-text notion-text__content notion-semantic-string","children":["$undefined",[["$","$3a","0-Within the Diamond proxy's fallback, we observe:",{"children":"Within the Diamond proxy's fallback, we observe:"}]],"$undefined"]}],["$","$L3d","1d96d11db45480e2a772e5774c065769",{"id":"1d96d11db45480e2a772e5774c065769","children":null,"hasContent":false,"parentId":"1d96d11db45480628d3ce51dbb046ae1","title":"$3e","updatedAt":1745005733102,"type":"code","language":"Solidity","wrap":true,"link":null}],["$","p",null,{"id":"block-1d96d11db454804bb3eae54a10c27858","className":"notion-text notion-text__content notion-semantic-string","children":["$undefined",[["$","$3a","0-The issue arises from Solidity's handling of msg.sig (a bytes4) when msg.data.length < 4. Zero-padding can map less-than-four-bytes calldata—like 0xff—to a 4-byte selector 0xff000000. If a facet with that exact selector has a fallback function, the Diamond proxy will delegate-call to it:",{"children":"The issue arises from Solidity's handling of msg.sig (a bytes4) when msg.data.length < 4. Zero-padding can map less-than-four-bytes calldata—like 0xff—to a 4-byte selector 0xff000000. If a facet with that exact selector has a fallback function, the Diamond proxy will delegate-call to it:"}]],"$undefined"]}],["$","$L3d","1d96d11db45480248388eafadb8adf27",{"id":"1d96d11db45480248388eafadb8adf27","children":null,"hasContent":false,"parentId":"1d96d11db45480628d3ce51dbb046ae1","title":"$40","updatedAt":1745005735374,"type":"code","language":"Solidity","wrap":true,"link":null}],["$","p",null,{"id":"block-1d96d11db45480b88b9cefddc3cdb72b","className":"notion-text notion-text__content notion-semantic-string","children":["$undefined",[["$","strong","0-b",{"children":["$","$3a","0-Potential for \"Selector Mining\"",{"children":"Potential for \"Selector Mining\""}]}]],"$undefined"]}],["$","p",null,{"id":"block-1d96d11db45480eb8c57c505459218cc","className":"notion-text notion-text__content notion-semantic-string","children":["$undefined",[["$","$3a","0-Attackers can also perform selector mining to generate specific 4-byte function selectors that end (or begin) with particular bytes. By brute-forcing various function signatures (e.g., tweaking the name or parameters), they may deliberately produce a function that looks legitimate but with a selector like 0xff000000 (or another that partially matches short calldata). Once introduced via governance or other means, this seemingly innocuous facet function could allow fallback-based exploits to remain hidden in plain sight.",{"children":"Attackers can also perform selector mining to generate specific 4-byte function selectors that end (or begin) with particular bytes. By brute-forcing various function signatures (e.g., tweaking the name or parameters), they may deliberately produce a function that looks legitimate but with a selector like 0xff000000 (or another that partially matches short calldata). Once introduced via governance or other means, this seemingly innocuous facet function could allow fallback-based exploits to remain hidden in plain sight."}]],"$undefined"]}],["$","p",null,{"id":"block-1d96d11db454803489cdd6ee032952ba","className":"notion-text notion-text__content notion-semantic-string","children":["$undefined",[["$","strong","0-b",{"children":["$","$3a","0-Why Might Calldata < 4 Occur?",{"children":"Why Might Calldata < 4 Occur?"}]}]],"$undefined"]}],["$","p",null,{"id":"block-1d96d11db45480abbd5bc9bcbfb7b8c7","className":"notion-text notion-text__content notion-semantic-string","children":["$undefined",[["$","$3a","0-While it's true that calls with fewer than 4 bytes are not typical, in my opinion they are still possible in several scenarios:",{"children":"While it's true that calls with fewer than 4 bytes are not typical, in my opinion they are still possible in several scenarios:"}]],"$undefined"]}],["$","ol",null,{"start":"$undefined","type":"1","className":"notion-numbered-list","children":[["$","li",null,{"id":"block-1d96d11db45480d7bff2c5f90a7931f5","className":"notion-list-item notion-semantic-string","children":["$undefined",[["$","$3a","0-Phishing or Social Engineering: A malicious interface could trick users into sending a transaction. The user might think it's a harmless or empty call, when in fact it activates an unexpected fallback.",{"children":"Phishing or Social Engineering: A malicious interface could trick users into sending a transaction. The user might think it's a harmless or empty call, when in fact it activates an unexpected fallback."}]],"$undefined"]}],["$","li",null,{"id":"block-1d96d11db4548088b392ee2f9190fa29","className":"notion-list-item notion-semantic-string","children":["$undefined",[["$","$3a","0-Malicious Contract-to-Contract Calls: Attackers could craft a contract that deliberately sends very short calldata to exploit the zero-padded selector, making it difficult for users of the contract to detect the issue.",{"children":"Malicious Contract-to-Contract Calls: Attackers could craft a contract that deliberately sends very short calldata to exploit the zero-padded selector, making it difficult for users of the contract to detect the issue."}]],"$undefined"]}],["$","li",null,{"id":"block-1d96d11db454807198e0df743af9b105","className":"notion-list-item notion-semantic-string","children":["$undefined",[["$","$3a","0-Accidental or Testing Mistakes: Under certain circumstances, both humans and programs can make mistakes, which may lead to unintended outcomes due to the unexpected execution path.",{"children":"Accidental or Testing Mistakes: Under certain circumstances, both humans and programs can make mistakes, which may lead to unintended outcomes due to the unexpected execution path."}]],"$undefined"]}]]}],["$","p",null,{"id":"block-1d96d11db454802c9191fe55611ba60c","className":"notion-text notion-text__content notion-semantic-string","children":["$undefined",[["$","$3a","0-In isolation, this might appear edge-case, but if a malicious facet is successfully introduced—especially via governance—this quirk becomes a potential vector for unauthorized actions.",{"children":"In isolation, this might appear edge-case, but if a malicious facet is successfully introduced—especially via governance—this quirk becomes a potential vector for unauthorized actions."}]],"$undefined"]}],["$","p",null,{"id":"block-1d96d11db45480449569fcb301cdb6f7","className":"notion-text notion-text__content notion-semantic-string","children":["$undefined",[["$","strong","0-b",{"children":["$","$3a","0-Impact Details",{"children":"Impact Details"}]}]],"$undefined"]}],["$","ol",null,{"start":"$undefined","type":"1","className":"notion-numbered-list","children":[["$","li",null,{"id":"block-1d96d11db4548033a845fda9af2c788d","className":"notion-list-item notion-semantic-string","children":["$undefined",[["$","$3a","0-Unexpected Execution Path: By exploiting zero-padding, a single-byte (or otherwise short) calldata can invoke a fallback that was never meant to be called.",{"children":"Unexpected Execution Path: By exploiting zero-padding, a single-byte (or otherwise short) calldata can invoke a fallback that was never meant to be called."}]],"$undefined"]}],["$","li",null,{"id":"block-1d96d11db45480878f79d2714dc050c4","className":"notion-list-item notion-semantic-string","children":["$undefined",[["$","$3a","0-Potentially Harmful Operations: If the fallback function executes transfers, mints, or any privileged logic, it could pose a real threat to protocol security and user funds.",{"children":"Potentially Harmful Operations: If the fallback function executes transfers, mints, or any privileged logic, it could pose a real threat to protocol security and user funds."}]],"$undefined"]}]]}],["$","p",null,{"id":"block-1d96d11db45480a29a80c4098cb1a4c6","className":"notion-text notion-text__content notion-semantic-string","children":["$undefined",[["$","$3a","0-This vulnerability doesn't immediately imply direct theft under normal circumstances. However, it still presents a risk because malicious fallback logic could be exploited for griefing, unauthorized state changes, or, depending on the facet's code, even fund misappropriation.",{"children":"This vulnerability doesn't immediately imply direct theft under normal circumstances. However, it still presents a risk because malicious fallback logic could be exploited for griefing, unauthorized state changes, or, depending on the facet's code, even fund misappropriation."}]],"$undefined"]}],[["$","span",null,{"className":"notion-heading__anchor","id":"1d96d11db4548081aafcc03d2708573e"}],["$","h3",null,{"id":"block-1d96d11db4548081aafcc03d2708573e","className":"notion-heading notion-semantic-string","children":["$undefined",[["$","$3a","0-Proof of concept",{"children":"Proof of concept"}]],"$undefined"]}]],["$","$L3d","1d96d11db454803a9c6aee3fb6520fa4",{"id":"1d96d11db454803a9c6aee3fb6520fa4","children":null,"hasContent":false,"parentId":"1d96d11db45480628d3ce51dbb046ae1","title":"$42","updatedAt":1745005747629,"type":"code","language":"Solidity","wrap":true,"link":null}],["$","div",null,{"id":"block-1d96d11db454809590ecf44539abf3c7","className":"notion-text"}]],"hasContent":true,"parentId":"bug-reports-bic-notes-report-38420","title":"$45","updatedAt":1745005738634,"type":"toggle","subType":null,"depth":null,"color":null}],[["$","span",null,{"className":"notion-heading__anchor","id":"1d96d11db454800a9aa2e6411d313632"}],["$","h2",null,{"id":"block-1d96d11db454800a9aa2e6411d313632","className":"notion-heading notion-semantic-string","children":["$undefined",[["$","$3a","0-BIC Response",{"children":"BIC Response"}]],"$undefined"]}]],["$","p",null,{"id":"block-1d96d11db45480ecb4e8c2dd973fdd0e","className":"notion-text notion-text__content notion-semantic-string","children":["$undefined",[["$","$3a","0-The situation you describe requires (1) a malicious fallback function to be introduced to the contracts and (2) an end user to unwittingly interact with said malicious function. These observations are not relevant to our bug bounty program and thus we are closing the report.",{"children":"The situation you describe requires (1) a malicious fallback function to be introduced to the contracts and (2) an end user to unwittingly interact with said malicious function. These observations are not relevant to our bug bounty program and thus we are closing the report."}]],"$undefined"]}]],"hasContent":true,"parentId":"81d407a13ac34b24afbd8ae2f633beb8","title":"$49","updatedAt":1745005741429,"type":"page","spaceId":"ab0b716f-1149-44f9-a5f8-3c1faef24f49","icon":"📄","createdTime":1744999742008,"lastEditedTime":1745005741429,"createdBy":"$4b","lastEditedBy":"$4f","layout":null,"propertySort":"$53","uri":"/bug-reports/bic-notes/report-38420","fullWidth":false,"smallText":false,"noCover":true,"superProperties":"$57","propertyValues":"$58","blockId":"1d96d11d-b454-80bb-afe1-c053ff762e3e","isRoot":true,"ctx":{"head":{"url":"https://community.bean.money/bug-reports/bic-notes/report-38420","title":"Report #38420","description":"The situation you describe requires (1) a malicious fallback function to be introduced to the contracts and (2) an end user to unwittingly interact with said malicious function. These observations are not relevant to our bug bounty program and thus we are closing the report.","root":"$60","image":null,"canonical":null,"author":null,"favicon":"https://images.spr.so/cdn-cgi/imagedelivery/j42No7y-dcokJuNgXeA0ig/8eb7da25-afae-45ec-95dc-67fbfc3937de/bean-200x200/public","breadcrumbs":"$61"},"settings":{"siteId":"24ee9048-bc34-4e20-87bc-190b6da4b7a3","userId":"94389423-1c7a-40c3-9765-f058817c571a","domainName":"community.bean.money","name":"Beanstalk Notion","active":true,"free":false,"tier":"personal","favicon":null,"fontFamily":"Inter","legacyTheme":"default","language":"en","notionPage":"d2246af0639c440b9153316b52856b7d","indexPageId":"24ee9048-bc34-4e20-87bc-190b6da4b7a3:::46bdfa5c-fa89-4a73-825f-88aeb87b1162","pageProperties":true,"pageSyncing":true,"viewSwitcher":true,"layoutSidePanel":true,"siteSearch":true,"advancedSearch":false,"themeToggle":false,"mondayFirst":false,"loadLimits":false,"hidePersonInfo":false,"showPropertyIcons":false,"redirectSubdomain":null,"noIndex":false,"viewsExceeded":false,"cacheTTL":180000,"manualSync":false,"syncStatus":"unsynced","publishedAt":null,"navbar":null,"footer":null,"sidebar":null,"theme":{"layout":{"paddingLayout":0.6,"layoutMaxWidth":900,"columnSpacing":46,"borderThicknessLayout":1,"borderTypeLayout":"solid","borderRadiiLayout":5,"pageDisplay":"flex"},"header":{"coverHeight":30,"titleAlign":"left","iconAlign":"-112px auto auto auto","display":"block"},"collectionCard":{"gap":10,"shadow":"rgba(15, 15, 15, 0.1) 0px 0px 0px 1px, rgba(15, 15, 15, 0.1) 0px 2px 4px","coverHeightLarge":200,"coverHeightMedium":200,"coverHeightSmall":128,"titleSize":0.875,"coverSizeSmall":172,"coverSizeMedium":260,"coverSizeLarge":320,"iconDisplay":"inline-flex"},"callout":{"iconDisplay":"block","shadow":"none"},"typography":{"primaryFont":"Inter","secondaryFont":"Inter","fonts":[],"baseSize":16,"titleSize":2.5,"quoteSize":1.2,"quoteSizeLarge":1.4,"headingSize":1,"textWeight":"normal","headingWeight":"600"},"scrollbar":{"width":15},"navbar":{"height":56,"shadow":"rgba(0, 0, 0, 0.12) 0px 10px 20px -6px"},"sidebar":{"width":280,"shadow":"rgba(0, 0, 0, 0.12) 0px 10px 20px -6px"},"colors":{"light":{"text":"#37352F","textLight":"#7d7c78","background":"#ffffff","borderColor":"#E9E9E7","checkboxBackground":"#2EAADC","hoverBackground":"#efefef","scrollbar":{"background":"#FAFAFA","handle":"#C1C1C1","border":"#E8E8E8"},"navbar":{"background":"#ffffff","buttonBackground":"#37352F","buttonText":"#ffffff","text":"#37352F"},"footer":{"background":"#ffffff","buttonBackground":"#37352F","buttonText":"#ffffff","text":"#37352F"},"sidebar":{"background":"#ffffff","hoverBackground":"#efefef","ctaBackground":"#ffffff","ctaText":"#37352F","text":"#37352F","border":"#E9E9E7"},"database":{"cardBackground":"#ffffff","cardHoverBackground":"#f9f9f8","calendarWeekendBackground":"#f7f6f3"},"form":{"submitButton":{"default":"#55534E","gray":"#A7A39A","brown":"#9A6851","orange":"#D9730D","yellow":"#CA922F","green":"#448361","blue":"#327DA9","purple":"#8F64AF","pink":"#C24C8B","red":"#D44E49"}},"default":[45,8,20],"gray":[45,2,46],"brown":[19,31,47],"orange":[30,87,45],"yellow":[38,62,49],"green":[149,31,39],"blue":[202,53,43],"purple":[274,32,54],"pink":[328,48,53],"red":[2,62,55]},"dark":{"text":"#e1e1e1","textLight":"#9b9b9b","background":"#191919","borderColor":"#373737","checkboxBackground":"#2EAADC","hoverBackground":"#292929","scrollbar":{"background":"#FAFAFA","handle":"#C1C1C1","border":"#E8E8E8"},"navbar":{"background":"#191919","buttonBackground":"#e1e1e1","buttonText":"#191919","text":"#e1e1e1"},"footer":{"background":"#191919","buttonBackground":"#e1e1e1","buttonText":"#191919","text":"#e1e1e1"},"sidebar":{"background":"#191919","hoverBackground":"#292929","ctaBackground":"#191919","ctaText":"#e1e1e1","text":"#e1e1e1","border":"#373737"},"database":{"cardBackground":"#212121","cardHoverBackground":"#292929","calendarWeekendBackground":"#202020"},"form":{"submitButton":{"default":"#55534E","gray":"#A7A39A","brown":"#9A6851","orange":"#D9730D","yellow":"#CA922F","green":"#448361","blue":"#327DA9","purple":"#8F64AF","pink":"#C24C8B","red":"#D44E49"}},"default":[45,8,20],"gray":[0,0,61],"brown":[18,35,58],"orange":[25,54,53],"yellow":[38,54,54],"green":[146,32,47],"blue":[217,50,58],"purple":[270,55,62],"pink":[329,57,58],"red":[1,69,60]}}},"code":"$34","files":"$38","hasPassword":false,"hasFeed":false},"records":"$65","pageId":"bug-reports-bic-notes-report-38420"}}]]}],["$","$L132",null,{"id":"bug-reports-bic-notes-report-38420","children":"$68","hasContent":true,"parentId":"81d407a13ac34b24afbd8ae2f633beb8","title":"$49","updatedAt":1745005741429,"type":"page","spaceId":"ab0b716f-1149-44f9-a5f8-3c1faef24f49","icon":"📄","createdTime":1744999742008,"lastEditedTime":1745005741429,"createdBy":"$4b","lastEditedBy":"$4f","layout":null,"propertySort":"$53","uri":"/bug-reports/bic-notes/report-38420","fullWidth":false,"smallText":false,"noCover":true,"superProperties":"$57","propertyValues":"$58","blockId":"1d96d11d-b454-80bb-afe1-c053ff762e3e","ctx":"$133"}]]}]