Payable function using delegatecall inside a loop
Report ID
#25611
Report type
Smart Contract
Has PoC?
No
Target
Impacts
- Theft of unclaimed yield
- Smart contract unable to operate due to lack of token funds
- Temporary freezing of funds for at least 1 hour
- Direct theft of any user funds, whether at-rest or in-motion, other than unclaimed yield
- Any governance voting result manipulation
Bug Description
use of delegatecall inside a loop in a payable function. Depot.farm(bytes[]) (contracts/depot/Depot.sol line 55-66) has delegatecall inside a loop in a payable function:
Impact
the same msg.value amount will be accredited multiple times.
Risk Breakdown
Difficulty to Exploit: Easy
Recommendation
Carefully check that the function called by delegatecall is not payable/doesn't use msg.value
Immunefi Response
Immunefi has reviewed this vulnerability report and decided to close since being out of scope for Beanstalk bug bounty program.
- claimed impact by the whitehat is in scope for the bug bounty program
- claimed asset by the whitehat is in scope for the bug bounty program
- PoCÂ
has not been submitted to the project- claimed severity is in scope for the bug bounty program
Since this bug bounty program does not require Immunefi's triaging, note that Immunefi does not:
- check if whitehat's claims are factually correct
- check PoC to understand the validity
- assess the submission's severity
These activities are the project's responsibility.
The project will now be automatically subscribed and receive a report of the closed submission and can evaluate if they are interested in re-opening it. However, note that they are not under any obligation to do so.