Beanstalk Notion
Beanstalk Notion
📄

Report #23897

Report Date
September 5, 2023
Status
Closed
Payout

Arbitrary Function Call Vulnerability in Aquifer Contract's boreWell Function

Report Info

Report ID

#23897

Report type

Smart Contract

Has PoC?

Yes

Target

https://etherscan.io/address/0xBA51AAAA95aeEFc1292515b36D86C51dC7877773

Impacts

Direct theft of any user funds, whether at-rest or in-motion, other than unclaimed yield

Bug Description

The Aquifer contract uses a call function with user-provided data (initFunctionCall) in the boreWell function. This allows for arbitrary function calls, which could be exploited by an attacker to call any function in the newly cloned contract before anyone else.

Impact

An attacker could potentially exploit this vulnerability to take control of the newly cloned contract. For example, if the cloned contract has a function that sets an owner, an attacker could call this function and set themselves as the owner.

Proof of concept

Consider a hypothetical scenario where the Well contract has a function that allows setting an owner:

contract MaliciousWell {
    address public owner;

    function setOwner(address _owner) public {
        owner = _owner;
    }
}

An attacker could exploit the initFunctionCall to set themselves as the owner of the newly cloned contract:

// Assume `maliciousWell` is the address of the MaliciousWell contract
// Assume `aquifer` is the address of the Aquifer contract
// Assume `attacker` is the address of the attacker

bytes memory initFunctionCall = abi.encodeWithSignature("setOwner(address)", attacker);
aquifer.boreWell(maliciousWell, "", initFunctionCall, "some_salt");

In this example, the initFunctionCall is set to call the setOwner function with the attacker's address as the parameter. When the Aquifer contract clones the MaliciousWell contract and calls the initFunctionCall, the attacker becomes the owner of the newly cloned contract.

This is a simplified example and the actual exploit could be more complex However, it illustrates the vulnerability of using a call function with user-provided data.

BIC Response

This is not a valid bug report because it described is expected behavior. The same could be done with any multicall contract like Pipeline. If they create the contract, it makes sense that they are able to be the first ones to call a function on the contract.

Due to these reasons, we are closing the submission and no reward will be issued.