Beanstalk Notion
Beanstalk Notion
/
🪲
Bug Reports
/
BIC Notes
/
📄
Report #38779
📄

Report #38779

Report Date
January 13, 2025
Status
Closed
Payout

Beanstalk GCP creds leaked in github

‣
Report Info

Report ID

#38779

Report type

Websites and Applications

Has PoC?

Yes

Target

https://app.bean.money

Impacts

Taking state-modifying authenticated actions (with or without blockchain state interaction) on behalf of other users without any interaction by that user, such as voting in governance

Description

Summary

A sensitive GCP credential token has been exposed in the GitHub repository. This allows unauthorized access to the services associated with the key, potentially leading to data leakage or other malicious actions.

Impact

Leakage of sensitive data. Malicious actors could modify or delete the data associated with the key. Attacker can perform excessive API calls, exhausting the allocated quota.

Recommendation

Immediately revoke the compromised key to prevent further misuse. Replace hard-coded credentials with environment variables to prevent accidental exposure.

Proof of concept

  1. Go to https://github.com/BeanstalkFarms/Beanstalk-Analytics/commit/fedefc69a6cc650988da472dd8bf2172d1efe20a#diff-056eea0a71455efcf9708b7ff52a6a7f5b34fe139a99f08c15a9096e39c623c5R6
  2. Search for bean-analytics-data-writer@tbiq-beanstalk-analytics.iam.gserviceaccount.com
  3. You will see GCP creds JSON
  4. Copy the JSON in a file gcp.json and run below command (you should have Google Cloud CLI installed for below command)
    5. gcloud auth activate-service-account --key-file=gcp.json
  5. You will see you are connected to that account, which means key is still active

BIC Response

Thank you for your report. There are currently no active GCP accounts affiliated with Beanstalk Farms, and the exposure you linked was identified years ago as belonging to an individual contributor. Therefore this particular credential leak is not eligible for a reward.