Beanstalk Notion
Beanstalk Notion
📄

Report #12981

Report Date
October 30, 2022
Status
Closed
Payout

flashloan attack with curve pool manipulation

‣
Report Info

Report ID

#12981

Target

https://etherscan.io/address/0x1BEA3CcD22F4EBd3d37d731BA31Eeca95713716D

Report type

Smart Contract

Impacts

pricing manipulation with flashloan on curve pool and arbitrage to execute between bean and stablecoin (Out of scope)

Has PoC?

Yes

Bug Description

The bug is beanstalk price relying on curve pool for stable pricing.

Impact

When arbitrage is executed, Bean price will loose peg and fund will be stolen.

Risk Breakdown

Difficulty to Exploit: Medium

Weakness: CVSS2 Score: 10 Critical

Recommendation

There are two recommendations:

  1. Eventhough stable pool in beanstalk finance have high liquidity and price impact may not be an issues, it is advisable to Increase price impact / price slippage sensitivity.
  2. Bean stable price to use decentralised oracle feed instead relying on curve pool

References

Harvest Finance flashloan attack: fUSDc pricing which peg to Y pool of Curve.fi getting attacked by flahsloan price manipulation.

Proof of concept

Attacker could utilise flahsloan to manipulate pricing on curve pool by borrowing USDT/USDC/DAI on flashloan, then

  1. buy Bean on Beanstalk finance with portion of the borrow fund
  2. trade on Curve pool to increase USDT/USDC/DAI supply with remaining borrowed fund, thus USDT/USDC/DAI supply increase enormously and Bean supply decrease and the Bean price increase substantially.
  3. Increase price on Bean, attacker to sell Bean to get Stablecoin and repay flashloan.

Immunefi Response

Hi, Immunefi has reviewed this vulnerability report and decided to close since being out of scope for Beanstalk bug bounty program.
  • claimed impact by the whitehat is not in scope for the bug bounty program
  • claimed asset by the whitehat is in scope for the bug bounty program
  • PoC has been submitted to the project
  • claimed severity is in scope for the bug bounty program

Since this bug bounty program does not require Immunefi's triaging, note that Immunefi does not:

  • check if whitehat's claims are factually correct
  • check PoC to understand the validity
  • assess the submission's severity

These activities are the project's responsibility.

The project will now be automatically subscribed and receive a report of the closed submission and can evaluate if they are interested in re-opening it. However, note that they are not under any obligation to do so.