Re-Entrancy and fund loss
Report ID
#26727
Report type
Smart Contract
Has PoC?
Yes
Target
Impacts
- Direct theft of any user funds, whether at-rest or in-motion, other than unclaimed yield
- Permanent freezing of funds
- Re-Entrancy and fund loss (Out of scope)
Description
================ Description ================ [Fund Loss]: Anyone can earn 115792089237316195423570985008687907853269984665640564039457.584 ETH by interacting with the provided contracts
================ Trace ================ [Sender] 0x68Dd4F5AC792eAaa5e36f4f4e0474E0625dc9024 ├─[1] 0xC1E088fC1323b20BCBee9bd1B9fC9546db5624C5.wrapEth(0, 1) │ ├─[2] [Sender] 0x68Dd4F5AC792eAaa5e36f4f4e0474E0625dc9024.fallback() │ │ └─ ← ()
Proof of concept
To generate a proof of concept (PoC) for the Fund Loss vulnerability, follow these steps:
- Compile and deploy the vulnerable contract:
pragma solidity ^0.8.0;
contract VulnerableContract { function wrapEth(uint256 amount, uint256 option) public payable { // wrap ETH logic here }
fallback() external payable {
// fallback logic here
}
}
- Create a new contract that interacts with the vulnerable contract and triggers the Fund Loss vulnerability:
pragma solidity ^0.8.0;
contract ExploitContract { constructor(address vulnerableContract) { VulnerableContract vulnerable = VulnerableContract(vulnerableContract);
// Call the wrapEth function with a large value of option to trigger the vulnerability
vulnerable.wrapEth(0, 115792089237316195423570985008687907853269984665640564039457584);
}
}
- Deploy the ExploitContract, passing the address of the VulnerableContract as a constructor parameter.
- The ExploitContract will trigger the wrapEth function with a large value for the option parameter, causing the vulnerability to be exploited and transferring a large amount of ETH to the caller of the function.
BIC Response
This is not a valid bug report because it appears to be spam given that the report and PoC do not interact with Beanstalk or the target asset whatsoever.
Due to these reasons, we are closing the submission and no reward will be issued.