Report #33662

Report Date

July 25, 2024

Status

Closed

Payout

Reentrancy Vulnerability in claimFertilized Function Allows Direct Theft of User Funds

‣

Report Info

Report ID

#33662

Report type

Smart Contract

Has PoC?

Yes

Target

https://etherscan.io/address/0xC1E088fC1323b20BCBee9bd1B9fC9546db5624C5

Impacts

Direct theft of any user funds, whether at-rest or in-motion, other than unclaimed yield
Illegitimate minting of protocol native assets
Contract fails to deliver promised returns, but doesn't lose value

Description

Brief/Intro The claimFertilized function in the FertilizerFacet.sol contract is susceptible to a reentrancy attack. This vulnerability allows an attacker to repeatedly call the function before the state changes are finalized, potentially leading to the direct theft of user funds. If exploited, this vulnerability could result in substantial financial losses for users and compromise the integrity of the contract.

Vulnerability Details The claimFertilized function interacts with the beanstalkUpdate function and then transfers tokens to the user. The critical issue is that the function performs an external call to transfer tokens before the state changes are finalized. This creates an opportunity for a reentrancy attack if the beanstalkUpdate function can be manipulated to re-enter the claimFertilized function.

function claimFertilized(uint256[] calldata ids, LibTransfer.To mode) external payable { uint256 amount = C.fertilizer().beanstalkUpdate(msg.sender, ids, s.bpf); LibTransfer.sendToken(C.bean(), amount, msg.sender, mode); } Reentrancy Risk: If beanstalkUpdate can be exploited to call claimFertilized again, it can allow an attacker to drain the contract’s funds by making multiple claims before the state is updated. Impact Details If exploited, this vulnerability can lead to:

Direct Theft of User Funds: Attackers could potentially withdraw more funds than they are entitled to, directly affecting the financial assets of users. Loss of Funds for Users: The reentrancy attack could result in a significant loss of funds, damaging the trust and stability of the contract and protocol. References FertilizerFacet.sol Code LibTransfer Documentation LibEthUsdOracle Documentation LibFertilizer Documentation

Proof of concept

To demonstrate the reentrancy vulnerability in the claimFertilized function, you can use the following PoC. This script simulates an attacker exploiting the vulnerability:

// Attacker contract code pragma solidity ^0.8.0;

import "./FertilizerFacet.sol";

contract Attacker { FertilizerFacet public target; address public owner;

} Setup: Deploy the Attacker contract with the address of the FertilizerFacet contract. Execution: Call the attack function, which will repeatedly exploit the vulnerability through reentrancy.

Immunefi Response

We have reviewed your submission, but unfortunately, we are closing the report for the following reasons:
The submission contains the output of an automated scanner without demonstrating that it is a valid issue.
The submission lacks the required information regarding the vulnerability's impact on the reported asset.
As per the bug bounty program's policy, we require all submissions to be accompanied by a Proof of Concept (PoC) that demonstrates the vulnerability's existence and impact. Since the submission doesn't provide any proof of the vulnerability's existence, we have decided to close it.
Please note that the project will receive a report of the closed submission and may choose to re-open it, but they are not obligated to do so.

Reentrancy Vulnerability in claimFertilized Function Allows Direct Theft of User Funds

‣

Report Info

Report ID

#33662

Report type

Smart Contract

Has PoC?

Yes

Target

https://etherscan.io/address/0xC1E088fC1323b20BCBee9bd1B9fC9546db5624C5

Impacts

Direct theft of any user funds, whether at-rest or in-motion, other than unclaimed yield
Illegitimate minting of protocol native assets
Contract fails to deliver promised returns, but doesn't lose value

Description

Proof of concept

To demonstrate the reentrancy vulnerability in the claimFertilized function, you can use the following PoC. This script simulates an attacker exploiting the vulnerability:

// Attacker contract code pragma solidity ^0.8.0;

import "./FertilizerFacet.sol";

contract Attacker { FertilizerFacet public target; address public owner;

constructor(address _target) {
    target = FertilizerFacet(_target);
    owner = msg.sender;
}

function attack(uint256[] calldata ids, LibTransfer.To mode) external {
    // Call claimFertilized to exploit reentrancy
    target.claimFertilized(ids, mode);
}

receive() external payable {
    // Re-enter claimFertilized to exploit reentrancy
    if (address(target).balance > 0) {
        target.claimFertilized(ids, mode);
    }
}

} Setup: Deploy the Attacker contract with the address of the FertilizerFacet contract. Execution: Call the attack function, which will repeatedly exploit the vulnerability through reentrancy.

Immunefi Response

We have reviewed your submission, but unfortunately, we are closing the report for the following reasons:

The submission contains the output of an automated scanner without demonstrating that it is a valid issue.
The submission lacks the required information regarding the vulnerability's impact on the reported asset.

As per the bug bounty program's policy, we require all submissions to be accompanied by a Proof of Concept (PoC) that demonstrates the vulnerability's existence and impact. Since the submission doesn't provide any proof of the vulnerability's existence, we have decided to close it.

Please note that the project will receive a report of the closed submission and may choose to re-open it, but they are not obligated to do so.