Curve deployers are able to drain Beanstalk protocol funds
Report ID
#31820
Report type
Smart Contract
Has PoC?
Yes
Target
https://etherscan.io/address/0xC1E088fC1323b20BCBee9bd1B9fC9546db5624C5
Impacts
Direct theft of any user funds, whether at-rest or in-motion, other than unclaimed yield
Description
Curve deployers are able to drain Beanstalk protocol funds.
Vulnerability Details
Beanstalk allows to exchange tokens through Curve pools using the CurveFacet facet. This allows an attacker to specify a pool address, which is not explicitly validated. Rather, it is implicitly validated in the getCoins() method:
For the STABLE_REGISTRY, new Curve pool implementations can only be added by the Curve DAO. This mechanism is implemented through Aragon. For the CURVE_REGISTRY and the CRYPTO_REGISTRY however, control over the ability to add new pools (including implementation) is delegated to a ProxyAdmin contract (0xEdf2C58E16Cc606Da1977e79E1e69e79C54fe242). This contract is not implementing a multi-sig, but rather allows either of two admin addresses to control the CURVE_REGISTRY and the CRYPTO_REGISTRY. These addresses, which are EOAs, are also called "Curve deployers". They are not related to the Beanstalk protocol at all, but implicitly trusted.
However, the ability to add arbitrary pool implementations has catastrophic effects for Beanstalk: The Curve facet completely trusts the return values of the pool implementations. Hence a malicious pool implementation could be used by any of these two admins -- or anyone gaining access to the corresponding private keys for that matter -- to all token balances from the Beanstalk contract.
Impact Details
The two deployer (admin) addresses (0xE6DA683076b7eD6ce7eC972f21Eb8F91e9137a17 and 0xbabe61887f1de2713c6f97e567623453d3C79f67) listed in the Curve ProxyAdmin contract (0xEdf2C58E16Cc606Da1977e79E1e69e79C54fe242) can drain the entire balance of any token of the Beanstalk contract. In the following we look at draining the BEAN balance, since this is the largest:
Converting the drained BEANs through the BEAN:WETH well yields 2712.5 ETH, which amounts to more than 10.3 million USD at the time of submitting this report.
Proposed fix
The Curve facet should always check that any amountOut/amountOuts values that are returned by Curve pools matches the actual token balance increase. This requires adding checks in exchange(), exchangeUnderlying(), removeLiquidity(), removeLiquidityImbalance() and removeLiquidityOneToken() of the CurveFacet.
References
Proof of concept
The PoC uses Foundry.
Create a new directory and run forge init in this directory. Add the following three files below (foundry.toml, src/MaliciousPool.sol and test/BeanStalkCurveDeployerTest.sol) and then run forge test -vvv.
Please note that the line evm_version='shanghai' is required in foundry.toml as the Beanstalk contracts use the PUSH0 opcode.
foundry.toml:
foundry.toml
[profile.default]
src = "src"
out = "out"
libs = ["lib"]
# See more config options https://github.com/foundry-rs/foundry/blob/master/crates/config/README.md#all-options
evm_version = 'shanghai'src/MaliciousPool.sol:
// SPDX-License-Identifier: MIT
pragma solidity ^0.8.13;
contract MaliciousPool {
address[2] public coins;
constructor(address[2] memory _coins) {
coins = _coins;
}
function exchange(uint256 /* i */, uint256 /* j */, uint256 /* dx */, uint256 min_dy) external pure returns (uint256) {
return min_dy;
}
}test/BeanStalkCurveDeployerTest.sol:
BIC Response
This is not a valid bug report because it is a known risk of using Curve. This is not an issue with the Beanstalk contracts. This is a similar trust assumption that Beanstalk makes with Chainlink's multisig, for example.
Due to these reasons, we are closing the submission and no reward will be issued.