Permanent Loss of funds due to dependent on single owner address [ Critical ]
Report ID
#22705
Report type
Smart Contract
Has PoC?
Yes
Target
Impacts
- Permanent freezing of funds
Summary
I would like to Report an issue in BeanStalk Smart Contract in which developer use single Owner / admin address inorder to perform the functionality of smart contract instead of using Arrays of Owner just like in GenesisSafeProxy contract
Link = https://etherscan.io/address/0xC1E088fC1323b20BCBee9bd1B9fC9546db5624C5?utm_source=immunefi#code
Why its an Issue?
If a privileged user, e.g., the owner, misplaces their private key or becomes inactive the entire contract will fail to operate. Effectively the contract relies on a single address possessed by the owner, this creates a single point of failure that is subject to human error
Exact Issue
Step 1 : Open the Link = https://etherscan.io/address/0xC1E088fC1323b20BCBee9bd1B9fC9546db5624C5?utm_source=immunefi#code
Step 2 : Here In Constructor part you see an _contractOwner is defined
constructor(address _contractOwner) {
LibDiamond.setContractOwner(_contractOwner);
LibDiamond.addDiamondFunctions(
address(new DiamondCutFacet()),
address(new DiamondLoupeFacet()),
address(new OwnershipFacet())
);
}
Step 3 : Open this Address in New tab its basically a Single address
address = 0x925753106FCdB6D2f30C3db295328a0A1c5fD1D1
Step 4 : This is the Crucial Issue which I want to discuss in my Report :
What Happen if Owner
- IS Dead ?
- Lost his Private Key ?
If such situation happen the function will never be accessible anymore and cause a fund loss issue in smart contract ( Frezzing of funds )
Impact / Consequences
- Due to the reliance on the owner’s unique privileges, the contract can experience a DOS, i.e., left in operable. The DOS will result in financial losses, for all who rely on the contract for financial compensation which is contingent upon on the state transition of the inoperable contract
- Many Other Beanstalk Smart Contract functionality is totally depend on a single Owner address = 0x925753106FCdB6D2f30C3db295328a0A1c5fD1D1
Recommendation
I will Suggest Developer to add more then one address in getOwners Query just like GenosisSafeProxy Smart Contact where an Arrays of Owner is Defined
Thank You
Proof of concept
Step 1 : Open the Link = https://etherscan.io/address/0xC1E088fC1323b20BCBee9bd1B9fC9546db5624C5?utm_source=immunefi#code
Step 2 : Here In Constructor part you see an _contractOwner is defined
constructor(address _contractOwner) {
LibDiamond.setContractOwner(_contractOwner);
LibDiamond.addDiamondFunctions(
address(new DiamondCutFacet()),
address(new DiamondLoupeFacet()),
address(new OwnershipFacet())
);
}
Step 3 : Open this Address in New tab its basically a Single address
address = 0x925753106FCdB6D2f30C3db295328a0A1c5fD1D1
Step 4 : This is the Crucial Issue which I want to discuss in my Report :
What Happen if Owner
- IS Dead ?
- Lost his Private Key ?
If such situation happen the function will never be accessible anymore and cause a fund loss issue in smart contract ( Frezzing of funds )
Impact / Consequences
- Due to the reliance on the owner’s unique privileges, the contract can experience a DOS, i.e., left in operable. The DOS will result in financial losses, for all who rely on the contract for financial compensation which is contingent upon on the state transition of the inoperable contract
- Many Other Beanstalk Smart Contract functionality is totally depend on a single Owner address = 0x925753106FCdB6D2f30C3db295328a0A1c5fD1D1
BIC Response
This is not a valid bug report because centralization risks are explicitly out of scope, as stated in the bug bounty program. Additionally, the owner address of Beanstalk is 0xa9bA2C40b263843C04d344727b954A545c81D043, which is a 5-of-9 multisig documented here: https://docs.bean.money/almanac/governance/beanstalk/bcm-process.
Due to these reasons, we are closing the submission and no reward will be issued.