Beanstalk Notion
Beanstalk Notion
/
🪲
Bug Reports
/
BIC Notes
/
📄
Report #35237
📄

Report #35237

Report Date
September 11, 2024
Status
Closed
Payout

Exposed Snapshot API Key on app.bean.money

‣
Report Info

Report ID

#35237

Report type

Websites and Applications

Has PoC?

Yes

Target

https://app.bean.money

Impacts

Taking state-modifying authenticated actions (with or without blockchain state interaction) on behalf of other users without any interaction by that user, such as voting in governance

Description

Introduction: During an analysis of the web application https://app.bean.money, it was discovered that a Snapshot API key is exposed in a publicly accessible JavaScript file (index-EQtr5gH3.js). This type of exposure can lead to unauthorized access to Snapshot's API and misuse of the service, which can affect the functionality and security of voting processes or other operations using Snapshot.

Description: The Snapshot API key was found in the file index-EQtr5gH3.js and is publicly accessible. This key could potentially allow malicious actors to make unauthorized API requests, including the ability to query or interact with sensitive data related to governance, voting proposals, or user accounts.

File containing the key: https://app.bean.money/assets/index-EQtr5gH3.js

Exposed Key: VITE_SNAPSHOT_API_KEY: "83b2ba4f5e943503dad56d4afea4a5205ace935d702cb8c0a1151c995b474f59"

Impact: Unauthorized API Access: The exposed API key can allow unauthorized access to the Snapshot API, enabling attackers to query data or interact with governance and voting-related functions without proper authentication.

Manipulation of Voting Processes: If the API key allows access to sensitive governance-related operations, a malicious actor could manipulate or interfere with ongoing votes or governance processes, potentially undermining the integrity of decentralized decision-making.

Potential Abuse of API Rate Limits: Attackers could abuse this key to exceed API rate limits, causing service disruptions or denial of service for legitimate users of the platform.

Steps to Reproduce: Navigate to https://app.bean.money/assets/index-EQtr5gH3.js. Search for the keyword VITE_SNAPSHOT_API_KEY. The API key is exposed within the file and can be used to make API requests to Snapshot.

Proof of concept

curl -X POST https://hub.snapshot.org/graphql \ -H "Content-Type: application/json" \ -H "X-API-KEY: 83b2ba4f5e943503dad56d4afea4a5205ace935d702cb8c0a1151c995b474f59" \ -d '{ "query": "{ proposals { id title body } }" }'

Immunefi Response

Unfortunately, after reviewing your report, Immunefi has decided to close it due to the assessed impact being out of scope.

Immunefi review:

  • The claimed impact Taking state-modifying authenticated actions (with or without blockchain state interaction) on behalf of other users without any interaction by that user, such as voting in governance by the whitehat is in the scope of the bug bounty program but the assessed impact doesn't match with the claimed impact for the following reasons.
    • Whitehat didn't provide enough information on how the described issue would lead to the claimed impact
  • assessed asset by the triage team is in scope for the bug bounty program
  • PoC has been submitted to the project

Please note that the project will receive a report of the closed submission and may choose to re-open it, but they are not obligated to do so.