Beanstalk Notion
Beanstalk Notion
📄

Report #26727

Report Date
December 9, 2023
Status
Closed
Payout

Re-Entrancy and fund loss

Report Info

Report ID

#26727

Report type

Smart Contract

Has PoC?

Yes

Target

https://etherscan.io/address/0x77700005bea4de0a78b956517f099260c2ca9a26

Impacts

  • Direct theft of any user funds, whether at-rest or in-motion, other than unclaimed yield
  • Permanent freezing of funds
  • Re-Entrancy and fund loss (Out of scope)

Description

================ Description ================ [Fund Loss]: Anyone can earn 115792089237316195423570985008687907853269984665640564039457.584 ETH by interacting with the provided contracts

================ Trace ================ [Sender] 0x68Dd4F5AC792eAaa5e36f4f4e0474E0625dc9024 ├─[1] 0xC1E088fC1323b20BCBee9bd1B9fC9546db5624C5.wrapEth(0, 1) │ ├─[2] [Sender] 0x68Dd4F5AC792eAaa5e36f4f4e0474E0625dc9024.fallback() │ │ └─ ← ()

Proof of concept

To generate a proof of concept (PoC) for the Fund Loss vulnerability, follow these steps:

  1. Compile and deploy the vulnerable contract:

pragma solidity ^0.8.0;

contract VulnerableContract { function wrapEth(uint256 amount, uint256 option) public payable { // wrap ETH logic here }

fallback() external payable {
    // fallback logic here
}

}

  1. Create a new contract that interacts with the vulnerable contract and triggers the Fund Loss vulnerability:

pragma solidity ^0.8.0;

contract ExploitContract { constructor(address vulnerableContract) { VulnerableContract vulnerable = VulnerableContract(vulnerableContract);

    // Call the wrapEth function with a large value of option to trigger the vulnerability
    vulnerable.wrapEth(0, 115792089237316195423570985008687907853269984665640564039457584);
}

}

  1. Deploy the ExploitContract, passing the address of the VulnerableContract as a constructor parameter.
  2. The ExploitContract will trigger the wrapEth function with a large value for the option parameter, causing the vulnerability to be exploited and transferring a large amount of ETH to the caller of the function.

BIC Response

This is not a valid bug report because it appears to be spam given that the report and PoC do not interact with Beanstalk or the target asset whatsoever.

Due to these reasons, we are closing the submission and no reward will be issued.