Beanstalk Notion

/

/

/

📄

Report #19295

Report Date

April 16, 2023

Status

Closed

Payout

Different Duplicate Facets simultaneously work in Beanstalk diamond system

‣

Report Info

Report ID

#19295

Target

https://etherscan.io/address/0xC1E088fC1323b20BCBee9bd1B9fC9546db5624C5

Report type

Smart Contract

Impacts

Permanent freezing of funds

Has PoC?

Yes

Bug Description

A clear and concise description of the bug.

There are two different SiloFacet in diamond Proxy addresses: 0xf73db3fb33c7070db0f0ae4a76872251dca15e97 was deployed 166 days ago 0xed7be52f59b4aa0c36b046e5c1f14df62aae79d6 was deployed 129 days ago

You need to leave only one Facet in your system

Risk Breakdown

Difficulty to Exploit: Easy Weakness: CVSS2 Score:

Proof of concept

i attached screenshots from https://louper.dev/ to show that 0xf73db3fb33c7070db0f0ae4a76872251dca15e97 0xed7be52f59b4aa0c36b046e5c1f14df62aae79d6 are in system

BIC Response

This is not a security bug report because the "bug" described is expected behavior. It is acceptable for there be multiple facets with the same name. See Louper to see how the different SiloFacets have different function selectors on them: https://louper.dev/diamond/0xc1e088fc1323b20bcbee9bd1b9fc9546db5624c5.

The report also does not describe how the reported issue would lead to the impact of "permanent freezing of funds".

Due to these reasons, we are closing the submission and no reward will be issued.