Beanstalk Notion
Beanstalk Notion
/
🪲
Bug Reports
/
BIC Notes
/
📄
Report #12580
📄

Report #12580

Report Date
October 20, 2022
Status
Closed
Payout

Missing Access Control (Withdraw_Admin_Fees)

‣
Report Info

Report ID

#12580

Target

https://etherscan.io/address/0xC1E088fC1323b20BCBee9bd1B9fC9546db5624C5

Report type

Smart Contract

Impacts

  • Griefing (e.g. no profit motive for an attacker, but damage to the users or the protocol)
  • Contract fails to deliver promised returns, but doesn't lose value

Has PoC?

Yes

Bug Descrption

Anyone is able to call the withdraw_admin_fees() it doesnot check the caller is admin

Fix

Add this line of code

assert msg.sender == self.admin

Proof of concept

1. Visit here

https://etherscan.io/address/0xc9c32cd16bf7efb85ff14e0c8603cc90f6f2ee49#code 2. check the function

def withdraw_admin_fees():
    factory: address = self.factory

    # transfer coin 0 to Factory and call `convert_fees` to swap it for coin 1
    coin: address = self.coins[0]
    amount: uint256 = ERC20(coin).balanceOf(self) - self.balances[0]
    if amount > 0:
        ERC20(coin).transfer(factory, amount)
        Factory(factory).convert_fees()

    # transfer coin 1 to the receiver
    coin = self.coins[1]
    amount = ERC20(coin).balanceOf(self) - self.balances[1]
    if amount > 0:
        receiver: address = Factory(factory).fee_receiver(BASE_POOL)
        ERC20(coin).transfer(receiver, amount)
  1. It lacks the check an admin is caller address.

BIC Response

This submission is related to an out of scope asset: the BEAN:3CRV Curve LP token. Curve pools are not part of Beanstalk and thus not included in the Immunefi bug bounty program. Curve pools are also non-upgradable.

The Beanstalk DAO acknowledges the risk of using Curve and has transparently communicated that here:

https://docs.bean.money/disclosures#12-curve-risk

Due to these reasons, this report is not eligible for a reward.