When tokens can get stuck during migration?

Here is a rather interesting and popular bug that can easily be found in protocols that use messages between two networks.

The migration process on the Beanstalk protocol involves two key contracts: BeanL1ReceiverFacet and BeanL2MigrationFacet. The process starts on L1 where tokens are burned, and a message is sent to L2 to mint the equivalent amount of tokens.

function migrateL2Beans(
    address reciever,
    address L2Beanstalk,
    uint256 amount,
    uint32 gasLimit
) external nonReentrant {
    C.bean().burnFrom(msg.sender, amount);

    IL2Bridge(BRIDGE).sendMessage(
        L2Beanstalk,
        abi.encodeCall(IBeanL1RecieverFacet(L2Beanstalk).recieveL1Beans, (reciever, amount)),
        gasLimit
    );
}

function recieveL1Beans(address reciever, uint256 amount) external nonReentrant {
    require(
        msg.sender == address(BRIDGE) &&
        IL2Messenger(BRIDGE).xDomainMessageSender() == L1BEANSTALK
    );
    s.sys.migration.migratedL1Beans += amount;
    require(
        EXTERNAL_L1_BEANS >= s.sys.migration.migratedL1Beans,
        "L2Migration: exceeds maximum migrated"
    );
    C.bean().mint(reciever, amount);
}

1. Burning on L1: The BeanL2MigrationFacet contract burns the tokens from the user's L1 balance.
2. Message to L2: The contract then sends a message to L2 using the IL2Bridge interface, instructing the L2 contract to mint the equivalent amount of tokens.

There might be several problems:
- If the message sent from L1 to L2 fails to execute successfully on L2 (e.g., due to contract limitations or gas issues), the tokens will have already been burned on L1, but the user will not receive the corresponding tokens on L2.
- Specifically, the recieveL1Beans() function on L2 could revert due to various reasons such as exceeding the maximum migrated beans or other contract-specific checks.

It is recommended to comprise a refund/reclaw mechanism for failed transactions on L2, so that tokens can be retrieved.

By implementing a retry mechanism and tracking migration requests, the potential issue of tokens getting stuck during the L1 to L2 migration can be mitigated. This approach ensures that users do not lose their tokens even if there are issues during the migration process.

Read the full report here:

Link: https://codehawks.cyfrin.io/c/2024-05-beanstalk-the-finale/s/462