flashloan attack with curve pool manipulation
Report ID
#12981
Target
Report type
Smart Contract
Impacts
pricing manipulation with flashloan on curve pool and arbitrage to execute between bean and stablecoin (Out of scope)
Has PoC?
Yes
Bug Description
The bug is beanstalk price relying on curve pool for stable pricing.
Impact
When arbitrage is executed, Bean price will loose peg and fund will be stolen.
Risk Breakdown
Difficulty to Exploit: Medium
Weakness: CVSS2 Score: 10 Critical
Recommendation
There are two recommendations:
- Eventhough stable pool in beanstalk finance have high liquidity and price impact may not be an issues, it is advisable to Increase price impact / price slippage sensitivity.
- Bean stable price to use decentralised oracle feed instead relying on curve pool
References
Harvest Finance flashloan attack: fUSDc pricing which peg to Y pool of Curve.fi getting attacked by flahsloan price manipulation.
Proof of concept
Attacker could utilise flahsloan to manipulate pricing on curve pool by borrowing USDT/USDC/DAI on flashloan, then
- buy Bean on Beanstalk finance with portion of the borrow fund
- trade on Curve pool to increase USDT/USDC/DAI supply with remaining borrowed fund, thus USDT/USDC/DAI supply increase enormously and Bean supply decrease and the Bean price increase substantially.
- Increase price on Bean, attacker to sell Bean to get Stablecoin and repay flashloan.
Immunefi Response
Hi, Immunefi has reviewed this vulnerability report and decided to close since being out of scope for Beanstalk bug bounty program.
- claimed impact by the whitehat
is not in scope
for the bug bounty program- claimed asset by the whitehat is in scope for the bug bounty program
- PoC has been submitted to the project
- claimed severity is in scope for the bug bounty program
Since this bug bounty program does not require Immunefi's triaging, note that Immunefi does not:
- check if whitehat's claims are factually correct
- check PoC to understand the validity
- assess the submission's severity
These activities are the project's responsibility.
The project will now be automatically subscribed and receive a report of the closed submission and can evaluate if they are interested in re-opening it. However, note that they are not under any obligation to do so.