Beanstalk Notion
Beanstalk Notion
/
🪲
Bug Reports
/
BIC Notes
/
📄
Report #36046
📄

Report #36046

Report Date
October 16, 2024
Status
Confirmed
Payout
1,000

Beanstalk address in Depot contract is incorrect

‣
Report Info

Report ID

#36046

Report type

Smart Contract

Has PoC?

Yes

Target

https://arbiscan.io/address/0xDEb0f0dEEc1A29ab97ABf65E537452D1B00A619c

Impacts

  • Contract fails to deliver promised returns, but doesn't lose value

Description

The newly deployed Depot contract on the Arbitrum One network is incorrectly trying to use the Ethereum network's beanstalk address.

Vulnerability Details

As can be seen below, the Arbitrum network's deposit contract is trying to make transactions using this address: "0xC1E088fC1323b20BCBee9bd1B9fC9546db5624C5", which belongs to an EOA on Arbitrum and a Beanstalk contract on the Ethereum network;

contract Depot is DepotFacet, TokenSupportFacet {

    using SafeERC20 for IERC20;

    IBeanstalk private constant beanstalk =
        IBeanstalk(0xC1E088fC1323b20BCBee9bd1B9fC9546db5624C5);

I realize that there is no bounty set for low issues and that the issue is a bit too obvious, but I still wanted to point it out in case you missed it. :)

Impact Details

The contract will not work as expected and is dysfunctional in its current form because we cannot change the defined address.

Proof of concept

I thought it didn't need a PoC since it was so obvious and there was no bounty set for low issues. But this could be used as a proof;

https://arbiscan.io/address/0xDEb0f0dEEc1A29ab97ABf65E537452D1B00A619c?utm_source=immunefi#code#F1#L29

BIR-22: Beanstalk Address in Depot

BIC Response

Thank you for this report. We agree that this is a valid issue.

The BIC has determined that the severity of this report is "Medium" with an impact of "Contract fails to deliver promised returns, but doesn't lose value." As outlined in the program, for Medium severity reports, the BIC determines a reward between 1k and 10k Beans based on:

  • The exploitability of the bug;
  • The impact it causes; and
  • The likelihood of the vulnerability presenting itself.

Based on these criteria, the BIC has determined that 1,000 Beans be rewarded for this report.

function transferToken(
        IERC20 token,
        address recipient,
        uint256 amount,
        From fromMode,
        To toMode
    ) external payable {
        if (fromMode == From.EXTERNAL) {
            token.safeTransferFrom(msg.sender, recipient, amount);
        } else if (fromMode == From.INTERNAL) {
 @>     beanstalk.transferInternalTokenFrom(token, msg.sender, recipient, amount, toMode);
        } else {
            revert("Mode not supported");
        }
    }