Beanstalk Notion
Beanstalk Notion
/
🪲
Bug Reports
/
BIC Notes
/
📄
Report #26029
📄

Report #26029

Report Date
November 22, 2023
Status
Closed
Payout

Storage collision between dynamic immutable storage: wellFunctionDataM and pump1Address use the same storage location

‣
Report Info

Report ID

#26029

Report type

Smart Contract

Has PoC?

Yes

Target

https://etherscan.io/address/0xBA510e11eEb387fad877812108a3406CA3f43a4B

Impacts

Storage Collision in dynamic immutable storage layout of well contract (Out of scope)

Bug Description

The Well contract when created must be cloned with a pre-encoded byte string containing immutable data. This immutable data is retrieved in the well contract through the _getArgBytes(), which returns the required immutable data. The issue lies in the fact that an error was made while assigning the logic for the storage location of wellFunctionDataM and pump1Address which are the same: 136 + n * 32 + m. Therefore they both override when updated and return the wrong data when retrieved.

Impact

Impact is medium as wrong data is retrieved due to error in logic leading to contract failing to deliver on promised returns.

Risk Breakdown

Difficulty to Exploit: Easy Weakness: high CVSS2 Score:6

Recommendation

Storage location of both wellFunctionDataM and pump1Address should be different with 20 being concurrently added from pump1Address to pump1Data

wellFunctionDataM: 136 + n * 32 + m

pump1Address: 136 + n * 32 + m + 20

Reference

https://github.com/BeanstalkFarms/Basin/blob/master/src/Well.sol#L67-L105

Proof of concept

POC cannot be technically generated

Immunefi Response

Immunefi has reviewed this vulnerability report and decided to close since being out of scope for Beanstalk bug bounty program.
  • claimed impact by the whitehat is not in scope for the bug bounty program
  • claimed asset by the whitehat is in scope for the bug bounty program
  • PoC has not been submitted to the project
  • claimed severity is in scope for the bug bounty program

Since this bug bounty program does not require Immunefi's triaging, note that Immunefi does not:

  • check if whitehat's claims are factually correct
  • check PoC to understand the validity
  • assess the submission's severity

These activities are the project's responsibility.

The project will now be automatically subscribed and receive a report of the closed submission and can evaluate if they are interested in re-opening it. However, note that they are not under any obligation to do so.