Beanstalk Notion
Beanstalk Notion
/
🪲
Bug Reports
/
BIC Notes
/
📄
Report #36112
📄

Report #36112

Report Date
October 20, 2024
Status
Closed
Payout

Incorrect Contract Addresses in Depot Contract on Arbitrum

‣
Report Info

Report ID

#36112

Report type

Smart Contract

Has PoC?

Yes

Target

https://arbiscan.io/address/0xDEb0f0dEEc1A29ab97ABf65E537452D1B00A619c

Impacts

Contract fails to deliver promised returns, but doesn't lose value

Description

During an analysis of the Depot contract within the Beanstalk project deployed on Arbitrum, a medium severity issue was identified. The developers appear to have mistakenly hardcoded the contract addresses intended for Ethereum, rather than for Arbitrum. As a result, the contract's functionality is entirely compromised on the Arbitrum network. This report provides an overview of the vulnerability, its details, and the potential impact.

Vulnerability Details

The Depot contract interacts with several other smart contracts that are integral to its operations. These interactions are based on the addresses of the other contracts deployed on the same network. However, in this instance, the developers erroneously pasted the addresses of contracts deployed on Ethereum instead of those on Arbitrum. the affected parts are the following:

    IBeanstalk private constant beanstalk =
        IBeanstalk(0xC1E088fC1323b20BCBee9bd1B9fC9546db5624C5);

at https://arbiscan.io/address/0xDEb0f0dEEc1A29ab97ABf65E537452D1B00A619c?utm_source=immunefi#code#F1#L28

and

    address private constant PIPELINE =
        0xb1bE0000C6B3C62749b5F0c92480146452D15423;

at https://arbiscan.io/address/0xDEb0f0dEEc1A29ab97ABf65E537452D1B00A619c?utm_source=immunefi#code#F6#L22

take for example the pipeline contract,in ETH mainet is present,but in arbitrum is just a EOA (Externally Owned Account) without any function available,to get the real one,that address needs to be changed to 0xb1bE000644bD25996b0d9C2F7a6D6BA3954c91B0

Impact Details

The incorrect addresses result in a complete failure of the contract's intended functionality on Arbitrum. As the Depot contract is unable to communicate with the correct smart contracts, this could lead to:

  1. Loss of functionality: All the functions reliant on external contracts are non-functional. This means that users cannot use the Depot contract.
  2. User confusion and loss of trust: Users interacting with the Depot contract on Arbitrum will find it non-functional, leading to confusion, potential financial losses, and a decrease in trust in the Beanstalk project on the Arbitrum network.

Proof of concept

BIC Response

Thank you for this report. We agree that this is a valid issue, however, a report for the same issue was already submitted to Immunefi 4 days prior to this one.

Thus, we are closing this report and a reward will not be issued.

// SPDX-License-Identifier: UNLICENSED
pragma solidity ^0.8.13;

import {Test, console} from "forge-std/Test.sol";
import {Counter} from "../src/Counter.sol";

contract CounterTest is Test {
    address bean = 0xBEA0005B8599265D41256905A9B3073D397812E4;

    function test_POCWalter(uint256 amount,int96 stem)external{
        vm.assume(amount<1e12);
        deal(address(bean),address(10),amount);
        vm.prank(address(10));
        vm.expectRevert();
        Depot(0xDEb0f0dEEc1A29ab97ABf65E537452D1B00A619c).transferDeposit(address(10), address(11), bean, stem, amount);
    }
}

interface Depot{
        function transferDeposit(
        address sender,
        address recipient,
        address token,
        int96 stem,
        uint256 amount
    ) external payable returns (uint256 bdv);
}