ūüďĄ

Report #30062

Report Date
April 13, 2024
Status
Closed
Payout

Unchecked Return Values in Pipeline Contract

‚Ä£
Report Info

Report ID

#30062

Report type

Smart Contract

Has PoC?

Yes

Target

https://etherscan.io/address/0xb1bE0000C6B3C62749b5F0c92480146452D15423

Impacts

  • Theft of unclaimed yield

Description

The Pipeline contract has a vulnerability in the _pipe() and _pipeMem() functions, where the return values of the target.call() function calls are not properly checked. This could allow an attacker to bypass critical functionality or potentially expose sensitive information if the call fails.

Vulnerability Details

The _pipe() and _pipeMem() functions in the Pipeline contract execute external function calls using the target.call() function. However, the return values of these calls are not properly handled. The LibFunction.checkReturn() function is called after the target.call(), but it is only used to check the success of the call, not the actual return data.

function _pipe(
    address target,
    bytes calldata data,
    uint256 value
) private returns (bytes memory result) {
    bool success;
    (success, result) = target.call{value: value}(data);
    LibFunction.checkReturn(success, result);
}

If the target.call() function fails, the result variable will still contain the return data from the failed call. This data could potentially be sensitive information or could allow an attacker to bypass critical functionality in the contract.

Impact Details

If this vulnerability is exploited, an attacker could potentially:

  1. Bypass Critical Functionality: By providing malformed or malicious data in the PipeCall or AdvancedPipeCall structures, an attacker could cause the target.call() function to fail, and then use the returned data to bypass critical functionality in the contract.
  2. Expose Sensitive Information: If the failed target.call() function returns sensitive information, such as private keys or other confidential data, an attacker could potentially steal or misuse this information.
  3. Drain Contract Funds: An attacker could leverage the vulnerability to execute unauthorized function calls that transfer the contract's funds to the attacker's address.

The impact of this vulnerability is considered HIGH, as it could lead to the loss of user funds and the compromise of the contract's overall security.

Proof of concept

To demonstrate and reproduce the vulnerability in the Pipeline contract, follow these steps:

  1. Deploy the Pipeline contract to a test environment.
  2. Create a malicious contract that will be used as the target in the PipeCall or AdvancedPipeCall structure. This contract should have a function that will deliberately revert or return sensitive information when called.
// Malicious Contract
contract MaliciousContract {
    function maliciousFunction() public pure returns (bytes32) {
        // This function will deliberately revert or return sensitive information
        revert("Malicious function call");
        // or
        return 0xdeadbeef;
    }
}
  1. Construct a PipeCall or AdvancedPipeCall structure that targets the maliciousFunction() in the deployed MaliciousContract.
// PipeCall example
PipeCall memory pcall = PipeCall({
    target: address(maliciousContract),
    data: abi.encodeWithSelector(maliciousContract.maliciousFunction.selector)
});
  1. Call the pipe(), multiPipe(), or advancedPipe() function in the Pipeline contract, passing the malicious PipeCall or AdvancedPipeCall structure as a parameter.
// Calling pipe()
pipeline.pipe(pcall);
  1. Observe the return value from the function call. Instead of reverting due to the failure of the target.call() function, the contract should return the data from the failed call, potentially exposing sensitive information or allowing the attacker to bypass critical functionality.

Immunefi Response

Thank you for your submission to the Beanstalk bug bounty program. Unfortunately, after reviewing your report, Immunefi has decided to close it as it does not meet our project requirements.
Your submission falls under one of the following categories:
  • Non-Vulnerability Issues: These include issues such as typos, layout issues, and other non-security-related problems that do not pose any security threat.
  • Spam Issues: These include reports that are intended to advertise a product or service, to mislead users or defame the company, or are irrelevant to the program.
  • UI/UX Issues: These include issues related to user interface and user experience that do not pose any security threat.

Please refrain from submitting any future reports that do not meet our program's requirements. Such submissions may lead to a loss of eligibility for the program or may result in further action.