📄

Report #22705

Report Date
July 31, 2023
Status
Closed
Payout

Permanent Loss of funds due to dependent on single owner address [ Critical ]

Report Info

Report ID

#22705

Report type

Smart Contract

Has PoC?

Yes

Target

https://etherscan.io/address/0xC1E088fC1323b20BCBee9bd1B9fC9546db5624C5

Impacts

  • Permanent freezing of funds

Summary

I would like to Report an issue in BeanStalk Smart Contract in which developer use single Owner / admin address inorder to perform the functionality of smart contract instead of using Arrays of Owner just like in GenesisSafeProxy contract

Link = https://etherscan.io/address/0xC1E088fC1323b20BCBee9bd1B9fC9546db5624C5?utm_source=immunefi#code

Why its an Issue?

If a privileged user, e.g., the owner, misplaces their private key or becomes inactive the entire contract will fail to operate. Effectively the contract relies on a single address possessed by the owner, this creates a single point of failure that is subject to human error

Exact Issue

Step 1 : Open the Link = https://etherscan.io/address/0xC1E088fC1323b20BCBee9bd1B9fC9546db5624C5?utm_source=immunefi#code

Step 2 : Here In Constructor part you see an _contractOwner is defined

    constructor(address _contractOwner) {
    LibDiamond.setContractOwner(_contractOwner);
    LibDiamond.addDiamondFunctions(
        address(new DiamondCutFacet()),
        address(new DiamondLoupeFacet()),
        address(new OwnershipFacet())
    );
}

Step 3 : Open this Address in New tab its basically a Single address

  address = 0x925753106FCdB6D2f30C3db295328a0A1c5fD1D1

Step 4 : This is the Crucial Issue which I want to discuss in my Report :

What Happen if Owner

  1. IS Dead ?
  2. Lost his Private Key ?

If such situation happen the function will never be accessible anymore and cause a fund loss issue in smart contract ( Frezzing of funds )

Impact / Consequences

  1. Due to the reliance on the owner’s unique privileges, the contract can experience a DOS, i.e., left in operable. The DOS will result in financial losses, for all who rely on the contract for financial compensation which is contingent upon on the state transition of the inoperable contract

Link = https://www.atlantis-press.com/journals/ijndc/125913574/view?ref=metastate

  1. Many Other Beanstalk Smart Contract functionality is totally depend on a single Owner address = 0x925753106FCdB6D2f30C3db295328a0A1c5fD1D1

Link = https://etherscan.io/address/0xBEA0000029AD1c77D3d5D23Ba2D8893dB9d1Efab?utm_source=immunefi

Link = https://etherscan.io/address/0x1BEA0050E63e05FBb5D8BA2f10cf5800B6224449?utm_source=immunefi

Link = https://etherscan.io/address/0x1BEA3CcD22F4EBd3d37d731BA31Eeca95713716D?utm_source=immunefi

Recommendation

I will Suggest Developer to add more then one address in getOwners Query just like GenosisSafeProxy Smart Contact where an Arrays of Owner is Defined

Link = https://bscscan.com/address/0xcd29e5c0031c42f9e78291ef5d5148a5e618e5bc#readProxyContract

Thank You

Proof of concept

Step 1 : Open the Link = https://etherscan.io/address/0xC1E088fC1323b20BCBee9bd1B9fC9546db5624C5?utm_source=immunefi#code

Step 2 : Here In Constructor part you see an _contractOwner is defined

    constructor(address _contractOwner) {
    LibDiamond.setContractOwner(_contractOwner);
    LibDiamond.addDiamondFunctions(
        address(new DiamondCutFacet()),
        address(new DiamondLoupeFacet()),
        address(new OwnershipFacet())
    );
}

Step 3 : Open this Address in New tab its basically a Single address

  address = 0x925753106FCdB6D2f30C3db295328a0A1c5fD1D1

Step 4 : This is the Crucial Issue which I want to discuss in my Report :

What Happen if Owner

  1. IS Dead ?
  2. Lost his Private Key ?

If such situation happen the function will never be accessible anymore and cause a fund loss issue in smart contract ( Frezzing of funds )

Impact / Consequences

  1. Due to the reliance on the owner’s unique privileges, the contract can experience a DOS, i.e., left in operable. The DOS will result in financial losses, for all who rely on the contract for financial compensation which is contingent upon on the state transition of the inoperable contract

Link = https://www.atlantis-press.com/journals/ijndc/125913574/view?ref=metastate

  1. Many Other Beanstalk Smart Contract functionality is totally depend on a single Owner address = 0x925753106FCdB6D2f30C3db295328a0A1c5fD1D1

Link = https://etherscan.io/address/0xBEA0000029AD1c77D3d5D23Ba2D8893dB9d1Efab?utm_source=immunefi

Link = https://etherscan.io/address/0x1BEA0050E63e05FBb5D8BA2f10cf5800B6224449?utm_source=immunefi

Link = https://etherscan.io/address/0x1BEA3CcD22F4EBd3d37d731BA31Eeca95713716D?utm_source=immunefi

BIC Response

This is not a valid bug report because centralization risks are explicitly out of scope, as stated in the bug bounty program. Additionally, the owner address of Beanstalk is 0xa9bA2C40b263843C04d344727b954A545c81D043, which is a 5-of-9 multisig documented here: https://docs.bean.money/almanac/governance/beanstalk/bcm-process.

Due to these reasons, we are closing the submission and no reward will be issued.