Diamond.sol: 24 Without keeping track of the received funds, it becomes difficult to audit or monitor the incoming transactions. This could lead to a lack of transparency and the protocol to be accountable. The contract also does not have a withdraw function which means funds will be stuck in that contract forever.
Vulnerability Details
The receive function will work and if not the fallback function will kick in. However what concerns me is that balances received by this smart contract are not tracked and the lack of a mapping results in the protocol also not knowing who sent however much. The management of funds will fail and there is no transparency. How will the contract give out refunds for example.
Impact Details
The funds received will simply be stored in the contract without a proper management system. Without knowing who what made the payment.
// Empty receive function
contract FundReceiver {
receive() external payable {}
// Function to withdraw all funds from the contract
function withdrawAll(address payable recipient) external {
recipient.transfer(address(this).balance);
}
}
Immunefi Response
Immunefi has reviewed this vulnerability report and decided to close since being out of scope for Beanstalk bug bounty program.
claimed impact by the whitehat is not in scope for the bug bounty program
claimed asset by the whitehat is in scope for the bug bounty program
claimed severity is not in scope for the bug bounty program
The project will now be automatically subscribed and receive a report of the closed submission and can evaluate if they are interested in re-opening it. However, note that they are not under any obligation to do so.