Missing payable modifiers for important functions
Report ID
#19211
Target
Report type
Smart Contract
Impacts
Any governance voting result manipulation
Has PoC?
Yes
Bug Description
A clear and concise description of the bug.
Hello
All functions of all Beanstalk diamond proxy smart-contract have payable modifier
In contract OwnershipFacet https://etherscan.io/address/0x5d45283ff53aabdb93693095039b489af8b18cf7
In functions transferOwnership and claimOwnership it is missing payable modifier to run this functions
i attached screenshot from etherscan to show POC that there is missing payable modifier for this functions
Risk Breakdown
Difficulty to Exploit: Easy Weakness: CVSS2 Score:
Proof of concept
i attached screenshots from etherscan for 0x5d45283ff53aabdb93693095039b489af8b18cf7 to show POC that there is missing payable modifier
BIC Response
The bug bounty program notes that: "All vulnerabilities noted in any audit report in the Beanstalk Audits repository (or otherwise known by the BIC, BCM, or Root DAO Multisig) are not eligible for a reward."
The BIC is already aware that a payable modifier is not on the transferOwnership and claimOwnership functions. More notably, it is not clear why this would be a vulnerability and the report does not state why this would be the case.
For these reasons, we are closing the submission and a reward will not be issued.